Fortified-Grid: Fortifying Smart Grids through the Integration of the Trusted Platform Module in Internet of Things Devices

Abstract

This paper presents a hardware-assisted security primitive that integrates the Trusted Platform Module (TPM) into IoT devices for authentication in smart grids. Data and device security plays a pivotal role in smart grids since they are vulnerable to various attacks that could risk grid failure. The proposed Fortified-Grid security primitive provides an innovative solution, leveraging the TPM for attestation coupled with standard X.509 certificates. This methodology serves a dual purpose, ensuring the authenticity of IoT devices and upholding software integrity, an indispensable foundation for any resilient smart grid security system. TPM is a hardware security module that can generate keys and store them with encryption so they cannot be compromised. Formal security verification has been performed using the random or real Oracle (ROR) model and widely accepted AVISPA simulation tool, while informal security verification uses the DY and CK adversary model. Fortified-Grid helps to validate the attested state of IoT devices with a minimal network overhead of 1984 bits.

1. Introduction

The advancement of technology for the IoT has paved the way for effective ways of communication for smart grid technology [1]. The smart grid can replace the traditional grid to cater to the energy demand. The smart grid would allow two-way communication between utilities and consumers during power transactions. Advanced metering infrastructure (AMI) and smart metering (SM) technologies can upgrade the conventional power grid by disclosing the hidden features of electrical power. The vehicle-to-grid (V2G) network offers bidirectional energy, information transmission, and other characteristics [2]. Smart grids use various devices for monitoring, analyzing, and controlling the grids deployed in power plants, transmission systems, and consumer premises. The security and reliability of the smart grid system are the real challenges due to its heterogeneous connectivity over the network. Hence, smart grids require the connectivity, authentication, automation, and tracking of such devices through the IoT. The Internet of Things (IoT) is a network of cyber-physical objects comprising sensors, actuators, and software that communicate continuously with their surroundings. IoT devices are used in smart grids for generation, transmission, distribution, and consumer purposes with various systems, such as supervisory control and data acquisition (SCADA), AMI, smart meters, etc. The system-level overview of the Fortified-Grid is shown in Figure 1.

The smart grid IoT devices and gateway usually communicate over wireless media; hence, the security of IoT devices has become more challenging. The attacker may compromise the data of devices that are being collected during communication. Hence, IoT devices need more security features, such as authentication, encryption, proper configuration, and the timely updating of software [3,4]. A Raspberry Pi 4 device equipped with TPM for attestation as an IoT device was proposed by reference [5]. The integrity of remote attestation was continuously monitored.

The uses of IoT devices in daily life, such as in the home, the office, transportation systems, smart agriculture, Industry 4.0, and healthcare systems, are increasing rapidly by the day. It is estimated that about 70% of devices will be IoT-based due to the continuously increasing industrialization and urbanization [6]. As per the CISCO survey report, there will be around USD 14.4 trillion worth of devices by the end of 2025 [7]. There will be a huge demand for IoT devices in smart grids applications. IoT smart grids are expected to contribute USD 1.1–2.5 trillion in growth per annum. Hence, in the future, many sensors will be deployed in IoT networks. A protocol for IoT security using TPM and PUF was proposed by reference [8]. The TPM stores the PUF key; hence, any adversary cannot access it from outside.

An effective mutual authentication procedure is required for trusted communication between smart grid IoT devices. Digital certificates are electronic files that prove the authenticity of devices or servers using device identity, the public key, and a cryptographic key. The certificate authority (CA) signs the digital certificate, and all entities trust the CA. In addition to evidence verification using a digital certificate, remote attestation would check the integrity of the IoT software state and would also detect any change. In the remote attestation mechanism, the state of the software or memory proof of untrusted devices is exchanged with the server or another device for verification. RA mechanisms rely on Trusted Platform Modules (TPMs) to generate attestation proofs. The TPM protocol can provide security to manufacturers of IoT devices and service providers, as well as more confidence in certificate-based authentication processes for IoT devices containing a TPM [9]. A TPM wallet security protocol based on blockchain was proposed by reference [10] and can provide security for IoT devices.

An integrity certificate checks software updation, and the results are decided according to the attestation. These certificates in IoT networks are different from conventional certificates due to the different constraints of IoT devices. However, RA results rely on integrity certificates for software state guarantees [11].

This paper’s organization is as follows. Section 2 defines the prior work related to the IoT device security of the smart grid. Section 3 highlights the research gaps and novel contributions. The roles of the Trusted Platform Module (TPM) for hardware-assisted security (HAS) for smart grids are covered in Section 4. Section 5 elaborates the proposed Fortified-Grid model. Section 6 describes the proposed scheme for TPM-based authentication in smart grids. Section 7 explains the security analysis of the proposed TPM-based IoT smart grid network. Section 8 describes the experiment results and a comparison with the state-of-the-art work, while Section 9 discusses the conclusion and final results.

2. Prior Work Related to IoT Device Security for Smart Grids

Secure, reliable, and efficient communication is essential in the IoT-based smart grid network [12]. Various schemes have been proposed in the literature to address smart grid IoT security and privacy challenges. A layered perspective of smart grid security using game theory was proposed by reference [13]. Another lightweight scheme [14,15] provided a basic concept and introduced the idea of smart grids, IoT device authentication, and grid resilience. A batch authentication technique for smart grid IoT devices based on HMAC codes was proposed by reference [16].

In this scheme, they used identity-based signatures to perform batch authentication and used pseudonyms to protect their identities. This scheme outperforms in terms of latency in comparison to other popular schemes. However, this scheme did not provide any solution for trust measurement. In addition, this scheme required extra overhead due to the certificate revocation list. Scheme [17] described the attack detection and mitigation during wireless data transmissions in WSNs, MANETs, and IoT-enabled smart grid networks; the approaches were broadly classified as trust-based and cryptography-based. Figure 2 shows a four-layer IoT-aided smart grid network.

A Chinese-remainder-theorem-based security of VANETs smart grid system suing TPD, ECDLP, was proposed by reference [18]. However, this scheme suffered from integrity measurement and a lack of security. Later, secure message transmission using remote attestation and HMAC techniques was suggested by reference [19]. More importantly, the scheme proved to be secure using the random oracle model under the Diffi Helman key exchange. They used Intel-SGX, which was designed to ensure integrity against physical adversaries. However, it suffers from high communication and computation overheads. A certificate extension-based scheme was proposed by reference [20]. However, this scheme was unable to protect the identity of IoT devices [21]. Remote attestation based on the digital certificate was suggested by reference [22]. However, the scheme did not support hardware-assisted security and firmware integrity. A mutual authentication protocol based on DAA was suggested by the authors of reference [23]. This scheme addresses unmanned aerial vehicle communication security and uses asymmetric key pairing and TPM to combat malicious modular attacks [23]. Similarly, scheme [24] suggested an executable monitoring system with evidence to verify the system’s status. Recently, a TPM-based scheme for smart grid IoT devices and server authentication was suggested by the authors of reference [25]. It used remote attestation and integrity measurement methods to authenticate smart grid remote IoT devices. However, the scheme generated auto-certificates each time during authentication, and one more entity, CAB, was introduced, making the protocol complicated and vulnerable.

The later scheme [26] proposed a certificate-less protocol based on a hash chain base and hash-chain-less framework. However, scheme [27] demonstrated that the above scheme is vulnerable to replay attacks and does not suggest any method to regenerate the hash chain.

Scheme [28] pointed out that TPM is unsuitable for resource-constrained devices due to space, power, and cost limitations, and suggested a crypto acceleration module. However, this was unable to prove the root of trust management. A survey of remote attestation in the Internet of Things [29] proposed a state-of-the-art remote attestation scheme for attestation and summarized the basic features of the protocol. Remote attestation gives attestation responsibility to resource-rich entities, i.e., servers, to make protocols suitable for smart grid IoT networks. To show various characteristics, existing RA was classified into five categories. However, the scheme could not demonstrate a secure attestation algorithm and security analysis. This scheme was vulnerable to replay attacks. A comparison of popular schemes is shown in

Table 1. A comparative analysis of different popular schemes.

Works	Primitive Used	Features	Vulnerabilities
Zhang et al. 2019 [18]	TPD, ECDLP	Chinese-remainder-theorem-based security of VANETs smart grid system.	No integrity measurement, lack of security
Zhong et al. 2021 [19]	TPM, SGX, HMAC	Connected and autonomous vehicles (CAVs) of smart grids	High overhead, lack of proper security mechanism
Wazid et al. 2022 [22]	TTP, Digital certificate	Less computational and communication overhead	Provide no Hardware-assisted security and firmware integrity
Khurshid et al. 2023 [25]	TPM, RATS, X.509	Supports hardware-assisted security and firmware integrity	Each time communicates with TTP for certificate, hence large overheads
Currently proposed (Fortified-Grid)	TPM, RATS, X.509	Hardware security for SG IoT devices, servers, and gateway, TPM ensures the integrity of firmware	Slightly higher overhead due to application of TPM

.

Most schemes discussed above have security flaws, cryptographic key security issues, or large overheads. The proposed scheme also supports adding new smart grid IoT devices after smart grid network deployment. The formal security verification of the scheme is performed using the widely used AVISPA tool and the ROR model against various attacks. Informal security verification is performed using the DY and CK adversary models.

3. Research Gaps and Novel Contributions

3.1. Problem Formulation

In the smart grid, a compromised IoT device’s firmware enables device impersonation and the transmission of false messages to the server. The absence of firmware measurement would compromise the device identity, which causes incorrect data processing and potentially erroneous decisions impacting the smart grid’s functionality. Numerous cryptographic schemes have been suggested to address this issue, yet these protocols often necessitate memory for storing security keys, rendering them susceptible to diverse attacks. The Trusted Platform Module (TPM) offers an innovative solution through an efficient key generation mechanism that enhances security in IoT applications. It can generate keys using a trustworthy route and firmware integrity checks using Platform Configuration Registers (PCR). It showcases the simplicity and resilience in design and implementation. This positions TPM as a dependable and robust security alternative for the smart grid environment.

3.2. Research Gaps

The following research gaps are identified from the literature survey [18,19,22,25]

• To the best of our knowledge, most IoT authentication schemes provide attestation and authentication mechanisms without considering the integrity of the device software.
• Most schemes use a cryptography key for attestation but may be vulnerable to software or intruders.
• Very few schemes provide complete authentication between IoT devices and servers for smart grids.
• Lightweight authentication schemes such as IoT devices in smart grids are generally resource constraints.

3.3. Research Contribution

The novel contributions of the paper are as follows:

• The paper proposes a certificate-based authentication scheme for IoT devices containing a TPM in a smart grid.
• Device authentication utilizes a preloaded certificate and establishes a secret session key after mutual authentication.
• The integrity of device software is ensured using TPM PCR measurement and comparison.
• The proposed scheme has validated its performance on the widely acceptable AVISPA tool and the random or real (ROR) model.
• Our analysis illustrates that the proposed model is secure, privacy-preserving, and supports minimal communicational overhead.

4. The Roles of the Trusted Platform Module (TPM) for Hardware-Assisted Security (HAS) for Smart Grids

IoT aids smart grids to face various security challenges such as integrity, impersonation, denial of service (DoS), replay attacks, malware attacks, etc. A TPM is a cryptography co-processor hardware chip, developed by the Trusted Computing Group (TCG), embedded in SG IoT devices. TPM is integrated with IoT devices, gateway nodes, and servers. In remote attestation and firmware updating, a TPM-based server, which is placed away from the smart grid of IoT devices, collects and checks the measurement results. This section describes the technology and background information required for Fortified-Grid security and authentication.

4.1. Hardware Assisted Security (HAS)

Hardware-assisted security involves integrating specialized hardware components and functionalities to bolster the security of digital systems. These hardware elements work in conjunction with software-based security measures, adding an extra layer of defence against a range of threats. Examples encompass TPM, Hardware Security Modules (HSM), secure enclaves, and hardware-based encryption accelerators. These components provide capabilities such as secure key storage, encryption and decryption, secure boot, and isolated execution environments. Doing so enhances overall system security by minimizing attack opportunities and enhancing resilience against diverse cyber threats.

In smart grid IoT networks, the security of data can be put at risk regardless of which technique is used. In these systems, different types of security challenges exist, such as physical attacks, side-channel attacks, firmware or software modification, information security, privacy, protection, Bluetooth hardware security, etc. However, the severity and complexity of these attacks require a level of security. This would be ensured through hardware support. Due to the several advantages of TPM, we have used it with IoT devices for hardware security in our scheme. Security, by design, must be energy efficient, robust, low-cost, fast, and reliable.

4.2. Trusted Platform Module (TPM) for Smart Grid IoT Devices

The TPM is an encryption co-processor built by the Trusted Computing Group (TCG). Smart grid IoT devices and servers contain TPM. TPM is a hardware security module that can generate and store encrypted keys, so they cannot be compromised. Every TPM has its own private endorsement key (EK) issued by a reliable Certified Authority (CA). It allows for easy authentication methods to be established, guaranteeing that the communication device in question includes a genuine and recognizable TPM. The security of a smart grid IoT deployment can be significantly bolstered by combining TPM features like secure boot and hardware/software attestation. The following are some of TPM’s most important characteristics:

• Key generation and secure storage: Communication mainly occurs in the smart grid system in an open environment. Hence, secure storage and key generation are fundamental requirements in the smart grid network. The generation of cryptographic keys is one of the TPM’s fundamental functions. The secret key is generated by a random number generator (RNG) or a secret seed. TPM can generate an infinite number of keys. The endorsement key (EK) always remains inside the TPM, while the Attestation Identification Key (AIK) is used for attestation purposes.
• Integrity management: This is another vital feature of TPM. For the integrity of devices in smart grid IoT systems, all devices must be periodically configured because any vulnerability in any device increases the likelihood that the entire system will fail. TPM has multiple Platform Configuration Registers (PCRs), and the PCRs hash and store system states. After the defined interval, each execution hash value is recomputed and compared with the previous accumulated value. As resetting or rolling back the PCR to its original state is impossible, any suspicious activity can be easily detected. An integrity measurement at system boot or startup ensures the client’s trust [30].
• Remote attestation: The advantages of the remote attestation technique for smart grid systems include confidentiality and defense against the man in the middle (MITM). Cryptography-based systems are considered secure against various attacks, but in some instances, cryptography keys are compromised, resulting in the entire system being under threat. Therefore, validating the entity or key became imperative before allowing system access. TPM performs an attestation to validate the entity’s or key’s trustworthiness and authenticity. TPM generates a quote that contains the hash of the PCR state and nonce, signed by TPM. At the other end, if the TPM signature is validated, it is authenticated, and the nonce ensures the freshness of the quote and avoids a replay attack.
• Authorization of an entity: This gives an authenticated device or user the necessary permissions to access smart grid resources. Access control ensures that correctly recognized entities only access SG resources. By managing an entity’s authorization, malicious attackers can alter the status or data of the entity. TPM can be used to mitigate these security threats. The PCR can be set to a specific value by defining a specific policy for an entity, so that when PCR is set to a desirable value, devices are only accessible. Hence, all IoT devices are protected from unauthorized access, as all PCRs can roll back to the desired value.
• User Identification and Secure Communication: One of the key differences between smart and traditional grids is their two-way communication. This has several potential benefits, such as distributed smart sensors, distributed power generation, real-time measurements with metering infrastructure, monitoring systems, and fast response, which require reliable communication and information exchange. It enables smart grids to communicate effectively to provide dependable electricity generation and distribution. TPM generates a random nonce that prevents replay attacks and secures communication between smart grid IoT devices [31].

4.3. Digital Certificate Extensions in SG-IoT Network

An X.509 certificate is a digital certificate that uses the public key infrastructure (PKI) standard and contains an additional extension field to be used in the certificate. The digital certificate is a safeguard against various attacks. It enables IoT devices and servers to exchange information securely. X.509 v3 contains several additional fields, such as the device’s unique identification string, serial number, the public part of a secret key, issuer name, validity period, signature, etc. The digital certificate X.509 profile is depicted in Figure 3.

4.4. Remote Attestation Procedures (RATS) in IoT-Aided Smart Grids

In a smart grid IoT network, untrusted devices communicate or authenticate with trusted or untrusted devices. The remote attestation procedure (RATS) technique determines whether a smart grid device can trust the remote entity. This establishment of trust is achieved using a two-stage challenge–response algorithm facilitated by a trusted third party (TTP), also known as a certificate authority.

The primary role of RATS is generating, transmitting, and evaluating attestation evidence. An attester would generate the evidence, which would be transmitted to verifiers for the process of verification. Here, attestation can be implemented using TPM quotes, PCR values, and PCR log evidence, which provides the state of the software. During attestation, the PCR computes the hash value of the current state and updates the previous store value. The TPM can report the hash value of a signed PCR and nonce, known as the quote.

5. The Proposed Fortified-Grid Model

5.1. Network Model

In the Fortified-Grid model, we have considered the example of a power quality monitoring system in SCADA of the proposed energy cyber-physical system (E-CPS). Power quality monitoring devices are connected to the network for harmonics monitoring, voltage sags, swells, and unbalances. Here, IoT device A connects to the measure voltage fluctuations, while IoT device B connects to the capacitor banks. Here, device A continues to monitor the voltages and, if required, it instructs device B to take a corrective measurement. Such measurement includes as switching the capacitor bank and voltage regulator to improve the power quality so that the customer receives a quality power supply all the time. This type of device integration may be used for another part of SG-CPS.

The Fortified-Grid network model is depicted in Figure 4. The Fortified-Grid consists of three entities: smart grid IoT devices, gateway nodes (GWN), and servers. A certificate authority (CA) is a trusted authority and may be an IoT owner, manufacturer, or trusted third party (TTP). The smart grid IoT entities contain a hardware chip called TPM, which provides true random number generation, cryptographic key generation, the secure storage of keys, quotes, and software state measurement. Smart grid IoT devices connected via the internet can communicate with each other in real time by establishing a secret session key.

Before communicating with other entities, the devices prove their authenticity and integrity to each other. Generally, several schemes adopt certificate-based single-factor authentication, but our protocol considers two-factor authentication, where the integrity of local devices is also validated. A session key is only to be established when both credentials are validated.

5.2. Assumptions

We have assumed that TCG specifications are truly implemented in our TPM-based proposed scheme. The root of trust management is adopted correctly. We have assumed that the smart grid IoT manufacturer has installed the TPM in devices and certificates. We have also assumed that CA, GWN, and servers are trusted entities that are secure from internal and external attacks. We have assumed that adversaries cannot manipulate the TPM configuration. Further, we have assumed that the devices are physically inaccessible and the adversary is unable to perform the side-channel attack.

5.3. Threat Model

Dolev and Yao introduced the Dolev–Yao adversary model in 1983. We consider the two famous Dolev Yao (DY) and Canetti–Krawczyk (CK) adversary models for security analysis in this paper [32]. In the DY model, an adversary has the following capacity and can perform the below attacks:

• An adversary can control the insecure communication channels of an SG network and hence eavesdrop, modify, alter, or block transmitted messages on the smart grid IoT network.
• An adversary can obtain secrets stored in NVM for smart grid devices via a side-channel attack.
• An adversary cannot compromise GWN since it is fully trusted in a smart grid system.
• An adversary can perform clone or physical attacks, a man in the middle, password guessing, etc., except they cannot perform cryptanalysis in a smart grid network.

The CK adversary model is more potent than the DY model and is popularly used in authentication and key exchange schemes. In addition to the above attacks, the CK adversary model can access ephemeral or secret parameters stored in the memory of an entity via explicit attack. The CK adversary model guarantees that information leakage in any session does not affect the security of the next session.

6. Proposed Scheme for TPM-Based Authentication in Smart Grids

Table 2. List of symbols.

Symbols	Descriptions
P	Generator point ECC
h	One-way hash function
$Io{T}^A$, $Io{T}^B$	IoT Dev A,B
$N_a$, $N_b$	Random number a,b
$PC{R}^A$, $PC{R}^B$	PCR value of A,B
${PC{R}_{eve}}^A$, ${PC{R}_{eve}}^B$	PCR event value of A,B
$PC{R}_{rev}^A$, $PC{R}_{rev}^B$	PCR reference value of A,B
$AI{K}_{pu{b}^A}$, $AI{K}_{pu{b}^B}$	Attestation Public key of A,B
$AI{K}_{pv{t}^A}$, $AI{K}_{pv{t}^B}$	Attestation Pvt. key of A,B
$cer{t}_A$, $cer{t}_B$	Digital certificate of dev. A,B
Ta, Tb	Time stamp of A,B
$d{h}_A.pub$, $d{h}_B.pub$	Diffi–Helman Public key of A,B

defines the notations used in this scheme. The detailed sequence of the proposed security scheme is shown below. It may be classified into four steps: (a) Registration, (b) Initialization, (c) Remote attestation, and (d) Session key generation. Detailed information about these steps is defined in the subsequent subsection. The initialization phase steps are depicted in Algorithm 1, while the registration phase steps are depicted in Algorithm 2. The session key steps are described in Algorithm 3.

6.1. Registration Phase

During the registration phase, IoT devices in the smart grid obtain a digital certificate from CA offline. The TPM is equipped with an Endorsement Key (EK). The attestation key (AIK) is generated using an EK.

6.2. Initialization Phase

During the initialization phase, device A generates a random nonce A using TPM and sends it toward device B. Similarly, device B generates nonce Nb and sends it toward device A. Further, both devices generate and transmit PCR event values toward each side.

Algorithm 1: Initialization Process

$Io{T}^A$: Smart grid IoT device A creates a random nonce $N_a$ and measure PCR event log ${PC{R}_{eve}}^A$ $Io{T}^A$→$Io{T}^B$: $N_a$, ${PC{R}_{eve}}^A$ $Io{T}^B$: IoT device B creates a random nonce $N_b$ and measure PCR event log ${PC{R}_{eve}}^B$ $Io{T}^B$→$Io{T}^A$: $N_b$, ${PC{R}_{eve}}^B$

Algorithm 2: Authentication Process

$Io{T}^A$: Smart gird IoT device A creates a TPM Quote quote${}^A$ = ($N{}_b\Vert PC{R}^A{)}_{AI{K}_{pv{t}^A}},cer{t}_A=(AI{K}_{pu{b}^A}$) $Io{T}^A$→$Io{T}^B$: quote${}^A$,PCR${}^A$, cert${}_A$,Ta $Io{T}^B$: verify the signature of CA and extracts $AI{K}_{pu{b}^A}$ from $cer{t}_A$ $Io{T}^B$: unsign $quot{e}^A$ and verify $quot{e}^A$ contains expected $PC{R}^A$ and $N_b$ $Io{T}^B$: verify if event log of $PC{R}_{eve}^A$ = $PC{R}^A$ $Io{T}^B$: IoT device B creates a TPM Quote quote${}^B$ = ($N_a$$\Vert PC{R}^B{)}_{AI{K}_{pv{t}^B}},cer{t}_B=(AI{K}_{pu{b}^B}$) $Io{T}^B$→$Io{T}^A$: quote${}^B$, cert${}_B$,Tb $Io{T}^A$: verify the signature of CA and extracts $AI{K}_{pu{b}^B}$ from $cer{t}_B$ $Io{T}^A$: verify $quot{e}^A$ contains expected $PC{R}^B$ and $N_a$ $Io{T}^A$: verify if ${PC{R}_{eve}}^B$ = $PC{R}^B$ $Io{T}^A$: verify if ${\Delta }_t$ ≤ Ta − Tb

Algorithm 3: Session Key Generation and Exchange

$Io{T}^A$: smart gird IoT device A TPM generates ephemeral key pair $d{h}_A$, public part of ephemeral key $d{h}_A.pub$ $Io{T}^A$: calculates secret${}^A={\left(d{h}_A.pub,N_B\right)}_{AI{K}_{pv{t}^A}}$ $Io{T}^A$→$Io{T}^B$: secret${}^A$, $d{h}_A.pub$, cert${}_A$,Ta $Io{T}^B$: verify the signature of CA and extracts $AI{K}_{pu{b}^A}$ from $cer{t}_A$ $Io{T}^B$: verify $secre{t}^A$ contains expected $N_b$ and $d{h}_A.pub$ $Io{T}^B$: IoT device B TPM generates ephemeral key pair $d{h}_B$, public part of ephemeral key $d{h}_B.pub$ $Io{T}^B$: calculates session key SKba = kdf($d{h}_B.pvt$‖$d{h}_A.pub$‖$N_b$‖$N_a$) $Io{T}^B$: calculates secret${}^B={\left(d{h}_B.pub,N_A\right)}_{AI{K}_{pv{t}^B}}$ $Io{T}^B$→$Io{T}^A$: secret${}^B$, $d{h}_B.pub$, cert${}_B$,Tb $Io{T}^A$: verify the signature of CA and extracts $AI{K}_{pu{b}^B}$ from $cer{t}_B$ $Io{T}^A$: verify $secre{t}^B$ contains expected $N_a$ and $d{h}_B.pub$ $Io{T}^A$: calculates session key SKab = kdf($d{h}_A.pvt$‖$d{h}_B.pub$‖$N_a$‖$N_b$)

6.3. Remote Attestation Phase

The previously exchanged nonce is included in this signature to avoid a replay attack. During this phase, quotes are exchanged and verified. This is done according to the Trusted Computing Group (TCG) protocol [33]. The step-by-step attestation procedure is shown in Figure 5.

• Step 1: Device A, which wants to communicate with B, generates a unique random nonce (Na). It sends the value of Na towards B and makes a request for a PCR event log. Attesting device PCRs ($PC{R}^A$ and $PC{R}^B$) are extended with measurements. Device B generates a unique random nonce (Nb) PCR event log (PCReveB) and sends it toward A. After that, device A sends the PCR event log (PCReveA) towards B. Finally, both devices exchange the nonce, and send the PCR event logs to each other.
• Step 2: IoT device A creates a TPM quote $quot{e}^A$ and sends $quot{e}^A$, $PC{R}^A$, $cer{t}_A$ towards device B.
• Step 3: Device B verifies the signature of CA and extracts $AI{K}_{pu{b}^A}$ from $cer{t}_A$ and unsign $quot{e}^A$ and verify $quot{e}^A$ contains expected $PC{R}^A$ and $N_b$. Further verify if event log of $PC{R}_{eve}^A$ = $PC{R}^A$
• Step 4: Device B transmits $quot{e}^B$, $PC{R}^B$, $cer{t}_B$ toward device A.
• Step 5: Device A verifies the signature of CA and extracts $AI{K}_{pu{b}^B}$ from $cer{t}_B$ and unsign $quot{e}^A$ and verify $quot{e}^A$ contains expected $PC{R}^B$ and $N_a$. Further verify if event log of $PC{R}_{eve}^B$ = $PC{R}^B$
• Step 6: Verify if the time difference is within the threshold limit ${\Delta }_t$ ≤ Ta − Tb.

The device should not be trusted, and it should be discarded if any one of theses is satisfied:

• The signature of TPM evidence does not match;
• If the nonce in the quote does not match the original quote, as it may be a replay message;
• If the PCR value received in the quote does not match the PCR evidence log;
• If the time difference Ta or Tb exceeds the threshold limit set for the freshness of messages.

6.4. Session Key Establishment Phase

At first, smart grid device $Io{T}^A$ creates a fresh ephemeral key pair using the TPM. Ephemeral keys are generated each time a fresh session is established. As ephemeral key pairs are generated inside the TPM, its public part is signed using the attestation key of TPM $AI{K}_{pv{t}^A}$. A randomly generated previously exchanged nonce is included in the secret parameter to avoid the replay of messages. Finally, device A sends $secre{t}^A$, $d{h}_A.pub$, $cer{t}_A$ towards device B. Device B checks the dh key generated by the trusted system by verifying the signature with the certificate of device A. Device B also checks the nonce sent earlier and generates the session key SKab = kdf($d{h}_B.pvt$‖$d{h}_A.pub$‖$N_b$‖$N_a$). Similarly, Device B generates fresh ephemeral pairs using TPM. The signed public part of the pair using AIK Pvt key sends $secre{t}^B$, $d{h}_B.pub$, $cer{t}_B$ towards device A. A session key is generated using kdf SKab = kdf($d{h}_A.pvt$‖$d{h}_B.pub$‖$N_a$‖$N_a$).

7. Security Analysis of Proposed TPM-Based IoT Smart Grid Network

The proposed protocol’s formal security is examined using the ROR oracle model and the automatic security verification tool, AVISPA. In contrast, informal security is examined in various attack situations.

7.1. Security Verification Using AVISPA Tool

We formally verify our security protocol using the popular AVISPA simulation tool. The role of each entity is defined using the HLPSL programming language.

It uses two popular backends for the program’s execution, i.e., OFMC and Cl-AtSe. The results show that our protocol is safe. The security of the protocol is verified on both backends. AVISPA shows different security attacks during the protocol simulation in the intruder section if the protocol is unsafe. This protocol uses the Dolev–Yao model as the intruder model [34]. The result of the AVISPA simulation is depicted in Figure 6.

7.2. Formal Verification Using Random or Real Oracle Model

Formal security verification is based on the ROR model, which measures protocol security by evaluating the probability of SK cracking on the repeated game round in the smart grid. The proposed ROR model assumes that the adversary $\mathcal{A}$ can interact with another communicating entity Y = ($Io{T}^A$, $Io{T}^B$, GWN); here, ${\prod }_{A_i}^x$, ${\prod }_{B_j}^y$, and ${\prod }_{G_k}^z$ can perform the following queries:

• Send (Y, M): In this query, $\mathcal{A}$ can send message M to Y in the smart grid and receive a specific entity’s response.
• Execution (Y): $\mathcal{A}$ uses this query to launch a passive attack in the smart grid. It can eavesdrop on all messages transmitted between ${\prod }_{A_i}^x$, ${\prod }_{B_j}^y$, and ${\prod }_{G_k}^z$.
• Reveal (Y): $\mathcal{A}$ can get the session key SK of ${\prod }_{A_i}^x$, ${\prod }_{B_j}^y$ by executing this query.
• Corrupt (Y): If this query is executed, it will obtain the long-term session key SK in the smart grid.
• Test (Y): $\mathcal{A}$ can send a query to any participant in V2G, and it tosses a coin. Obtain the correct secret key if C = 1 $\mathcal{A}$. If C = 0, then a randomly selected value of the same bit string, which equals SK, is returned.

Theorem 1.

Assume that $\mathcal{A}$ is a running polynomial-time adversary and performs the queries, then the probability that $\mathcal{A}$ can break protocol is

$${Adv}_{\mathcal{P}}^{SK}\left(\mathcal{A}\right)\le \frac{q_s}{2^{l-2}}+\frac{{3q}_h^2}{2^l}+2max\{C^{{}^{\prime }}.q_s^{{}^{\prime }},\frac{q_s}{2^l}\}$$

where $q_s$ and $q_t$ indicates the number of send and TPM queries, respectively, l represents the number of bits, and $C^{\prime }$ is a constant [35].

Proof. 

We present the proof of the theorem with the help of seven game rounds $G_m=\left\{0,1,2,3,4,5,6\right\}$. ${Succ}_P^{G_m}$ indicates the probability of winning in various rounds of the game, and ${Adv}_{\mathcal{P}}^{SK}$ indicates the advantage of breaking the protocol.

• ${\mathbf{Game}}_{\mathbf{0}}$: In the first round of the game, $G_0$ does not make any query. The probability of $\mathcal{A}$ successfully cracking is

  $${Adv}_{\mathcal{P}}^{SK}\left(\mathcal{A}\right)=2Pr\left[{Succ}_P^{G0}\right]-1.$$

  (1)
• ${\mathbf{Game}}_{\mathbf{1}}$: In this round, $Gam{e}_1$ performs Execute (Y) operation. $\mathcal{A}$ only intercepts message QuoteA, QuoteB, CertA, and CertB transmitted over an insecure communication channel. Since the value of dhA.pvt and dhB.pvt are unknown, $\mathcal{A}$ can not calculate the secret session key SKab and SKba. Hence, the probability of $Gam{e}_1$ is same as $Gam{e}_0$.

  $$|Pr\left[{Succ}_P^{G1}\right]=Pr\left[{Succ}_P^{G0}\right]$$

  (2)
• ${\mathbf{Game}}_{\mathbf{2}}$: In this round, $Gam{e}_2$ performs a Send (Y) operation other than $Gam{e}_1$. As per Zipf’s law, the probability of $Gam{e}_2$ is

  $$|Pr\left[{Succ}_P^{G2}\right]-Pr\left[{Succ}_P^{G1}\right]| \le \frac{q_s}{2^l}$$

  (3)
• ${\mathbf{Game}}_{\mathbf{3}}$: In this round, $Gam{e}_3$ performs one more query (Y) operation and one less operation Send (Y). According to the birthday paradox, the probability of collusion occurring during the hash query simulation is

  $$|Pr\left[{Succ}_P^{G3}\right]-Pr\left[{Succ}_P^{G2}\right]| \le \frac{q_t^2}{2^{l+1}}$$

  (4)
• ${\mathbf{Game}}_{\mathbf{4}}$: In this game $\mathcal{A}$ uses ${\prod }_{A_i}^x$, ${\prod }_{B_j}^y$ to acquire the $Io{T}^A$ or $Io{T}^B$ secret dh key $d{h}_A.pvt$. Assume that $\mathcal{A}$ acquires the $Io{T}^A$ dh key $d{h}_A.pub$. Because $\mathcal{A}$ cannot calculate the value of $d{h}_A.pvt$, it cannot calculate the SK, where SKab = kdf($d{h}_A.pvt$‖$d{h}_B.pub$‖$N_a$‖$N_b$). Therefore, the probability of $Gam{e}_4$ is

  $$|Pr\left[{Succ}_P^{G4}\right]-Pr\left[{Succ}_P^{G3}\right]| \le \frac{q_s}{2^l}+\frac{q_t^2}{2^{l+1}}$$

  (5)
• ${\mathbf{Game}}_{\mathbf{5}}$: $\mathcal{A}$ uses Corrupt (Y) to capture the parameters in $secre{t}^A$ is $d{h}_B.pub$, $N_A$. Therefore, the probability of $Gam{e}_5$ is

  $$|Pr\left[{Succ}_P^{G5}\right]-Pr\left[{Succ}_P^{G4}\right]| \le max\{C^{{}^{\prime }}.q_s^{{}^{\prime }},\frac{q_s}{2^l}\}$$

  (6)
• ${\mathbf{Game}}_{\mathbf{6}}$: In this game, $\mathcal{A}$ can guess session key SKab and SKba. The session key remains independent from oracle and other parameters. Hence, the probability of $Gam{e}_6$ is

  $$|Pr\left[{Succ}_P^{G6}\right]-Pr\left[{Succ}_P^{G5}\right]| \le \frac{q_t^2}{2^{l+1}}$$

  (7)

  Hence, the probability that $\mathcal{A}$ can guess is

  $$|Pr\left[{Succ}_P^{G6}\right]| = \frac{1}{2}$$

  (8)

  based on Equations (1)–(8), we obtain the following result:

  $$\begin{array}{cc}\hfill \frac{1}{2}{Adv}_{\mathcal{P}}^{SK}\left(\mathcal{A}\right)=& |Pr[{Succ}_P^{G0}]-1/2.|\hfill \\ \hfill =& |Pr\left[{Succ}_P^{G0}\right]-Pr\left[{Succ}_P^{G6}\right]|\hfill \\ \hfill =& |Pr\left[{Succ}_P^{G1}\right]-Pr\left[{Succ}_P^{G6}\left(\mathcal{A}\right)\right]|\hfill \\ \hfill \le & \sum _{n=0}^{5}Pr\left[{Succ}_P^{G_{n+1}}\left(\mathcal{A}\right)\right]-Pr\left[{Succ}_P^{G_n}\left(\mathcal{A}\right)\right]\hfill \\ \hfill =& \frac{q_s}{2^{l-1}}+\frac{{3q}_t^2}{2^l}+max\{C^{{}^{\prime }}.q_s^{{}^{\prime }},\frac{q_s}{2^l}\}\hfill \end{array}$$

  (9)
  Based on Equations (1)–(8), we obtained Equation (10), which proves the theorem.

  $${Adv}_{\mathcal{P}}^{SK}\left(\mathcal{A}\right)\le \frac{q_s}{2^{l-2}}+\frac{{3q}_t^2}{2^l}+2max\{C^{{}^{\prime }}.q_s^{{}^{\prime }},\frac{q_s}{2^l}\}$$

  (10)

□

7.3. Informal Security Analysis

This section examines several security threats using informal security analysis, which is extensively used to demonstrate the cryptographic protocol’s features. The protocol can withstand numerous attacks, such as replay, man-in-the-middle, impersonation, and anonymity attacks.

Proposition 1.

The proposed scheme can mitigate man-in-the-middle attacks.

Proof. 

During a MiTM attack, an intruder in the smart gird inserts themselves between the $Io{T}^A$ and $Io{T}^B$ message exchanges and obtains control of their communication. Suppose an intruder intercepts the relayed transmissions and attempts to alter $quot{e}^A$, $PC{R}^A$, $certA$ or $quot{e}^B$, $PC{R}^B$, $certB$ by impersonating a legal entity in front of the other. This is not possible until the adversary obtains the ($quot{e}^A$ or $certA$) of the $Io{T}^A$ / $Io{T}^B$. Without knowledge of the quote, an adversary cannot calculate the PCR. Further, authentication is terminated if $N_a$ and $N_b$ are not the same. Consequently, the adversary cannot perform the MITM attack under the analyzed scenarios. □

Proposition 2.

The proposed scheme can resist a replay attack.

Proof. 

In this attack, an intruder cannot use the message $quot{e}^A$ or $quot{e}^B$ as $N_a$ / $N_b$ and Ta, Tb change in each session; hence, the adversary cannot reuse the message $quot{e}^A$ or $quot{e}^B$ in each session as a new quote message is generated. □

Proposition 3.

The proposed protocol can ensure message integrity.

Proof. 

In the smart grid, $Io{T}^A$ and $Io{T}^B$ generate a new session key in each session. $Io{T}^A$ and $Io{T}^B$ produce fresh (dhA, dhB, $N_a$, $N_b$) and new timestamps (Ta, Tb). The message confirms the integrity and authentication of the message data transmission. □

Proposition 4.

The proposed protocol can mitigate DoS attacks.

Proof. 

In this attack, an adversary may flood the network by delivering unwanted and bogus packets to all protocol entities of smart gird. In our proposed scheme, every entity immediately verifies the received messages against bogus messages and checks the freshness of the timestamp. $Io{T}^A$ and $Io{T}^B$ generate a new session key in each session. $Io{T}^A$ and $Io{T}^B$ produce fresh ($N_a$, $N_b$) and new timestamps (Ta, Tb). Hence, they protect against DOS attacks. □

Proposition 5.

The proposed protocol is resilient against backward and forward key secrecy.

Proof. 

Only a legitimate $Io{T}^A$ can generate $d{h}_A.pvt$, hence calculating fresh SKab = kdf($d{h}_A.pvt$‖$d{h}_B.pub$‖$N_a$‖$N_b$). Similarly, legitimate $Io{T}^B$ can generate fresh SKba = kdf($d{h}_B.pvt$‖$d{h}_A.pub$‖$N_b$‖$N_a$). If any session key is compromised, this does not help to recover the past or future session keys. Hence, this provides session key security against any attack. □

Proposition 6.

The proposed protocol supports anonymity.

Proof. 

Anonymity means the identity of the $Io{T}^A$ and $Io{T}^B$ is not disclosed during communication. In TPM-SGIoT, every $Io{T}^A$ and $Io{T}^A$ have TPM, which generates a unique AIK during registration with GWN, and the key is not transmitted during communication. Moreover, the dh of $Io{T}^A$ and $Io{T}^B$ is different in each session. Thus, an adversary cannot identify the same $Io{T}^A$ or $Io{T}^B$ in a different session. □

8. Experimental Results

This section provides a detailed comparison of various schemes’ computational and communication overheads. Specifically, it focuses on comparing the computational costs of different schemes. The computations involving large integers are performed using GMP library version 6.1.2 while pairing calculations utilize PBC library version 0.5.14. The experimental setup employs Ubuntu 16.04 as the operating system, an Intel Core i7-6700 CPU running at 4 GHz, and a memory capacity of 16 GB.

Table 3. Execution time of different cryptographic operations.

Cryptographic Operation	Time ($\mathsf{\mu }$s)
Hash (Th)	0.138
Random number (Trng)	0.535
Encryption (Te)	4.420
Decryption (Td)	4.420
Bilinear pairing (Tbp)	42.11

shows some basic operation execution times;

Table 4. Computational cost comparison.

Scheme	Authentication Cost	Session Cost	Total Cost ($\mathsf{\mu }$s)
Zhang et al. [18]	5 Te + 2 Th	Te + Th	23.75
Zhong et al. [19]	2 Tbp + Th	2 Th	84.48
Wazid et al. [22]	6 Tem + 11 Th	6 Tem + 12 Th	56.26
Khurshid et al. [25]	2 Trn + 3 Te + 3 Td	2 Trn + 3 Te + 3 Td + 2 Th	55.18
Fortified-Grid	2 Trn + 2 Te + 2 Td	2 Trn + 2 Te + 2 Td + 2 Th	37.78

provides a comparison of the computation overhead; and

Table 5. Communication cost comparison.

Scheme	Total Cost (bits)
Zhang et al. [18]	672
Zhong et al. [19]	2848
Wazid et al. [22]	2176
Khurshid et al. [25]	2368
Fortified-Grid	1984

defines the comparison of the communication overheads of different schemes.

8.1. Computational Overhead Analysis

This subsection compares our scheme’s computational cost with those in references [18,19,22,25]. To achieve authentication, scheme [18] will cost 6 Te + 3 Th = 23.75 $\mathsf{\mu }$s. Scheme [19] will cost 2 Tbp + 3 Th = 84.48 $\mathsf{\mu }$s. Similarly, scheme [22] will cost 12 Tem + 23 Th = 56.26 $\mathsf{\mu }$s and scheme [25] will cost 4 Trn + 6 Te + 6 Td + 2 Th = 37.78 $\mathsf{\mu }$s, respectively.

The proposed scheme will cost 4 Trn + 4 Te + 4 Td = 37.78 $\mathsf{\mu }$s. However, the computational cost of our scheme is higher than the scheme in reference [18], but our scheme has the added advantage of the TPM–IoT security layer for a secure smart grid network.

8.2. Communicational Overhead Analysis

As mentioned earlier, the certificate cost is 160 bits, the timestamp is 32 bits, the secret concatenation (quote and secret) is 160 bits, the random nonce is 160 bits, and the public dh key is 320 bits. A comparison of the communication cost of the Fortified-Grid and other popular schemes is shown in Figure 7. In this subsection, the Fortified-Grid communicational cost is compared with those in references [18,19,22,25] for the attestation and key procedures. The communication cost of scheme [22] will be 2176 bits, and scheme [18] cost will be 672 bits. Similarly, scheme [19]’s cost will be 2848 bits, while scheme [25]’s cost will be 2800 bits.

In the Fortified-Grid, quotes, PCR, and certificates are exchanged during authentication. Hence, overhead A to B (160 + 32 + 160) = 352 bits; similarly, overhead B to A is (160 + 32 + 160) = 352 bits. The overhead is (160 + 160 + 320) = 640 bits during a key exchange between A and B. Hence, the total overhead on both sides is 1280 bits. As a result, the total communication overhead in our scheme is (704 + 1280) = 1984 bits. The communication cost of our scheme, the Fortified-Grid, is less than the schemes of references [19,22,25]. However, it is more than the scheme of reference [18].

However, it has added the advantage of the TPM–IoT security layer for a secure smart grid network. The results show that our scheme provides security against all major attacks.

8.3. Discussion

This subsection presents the proposed TPM-based attestation scheme’s challenges, advantages, and limitations.

• The major challenges for secure IoT redeployment in a smart gird are secret key leakage, firmware compromise, and hardware-based routes of trust. To mitigate these challenges, we propose an X.509 certificate-based TPM protocol.
• The proposed scheme addresses hardware security challenges, secret key storage, integrity measurement, and remote firmware upgrades. TPM protects against ransomware or any other kind of hack and malware.
• However, these schemes have limitations, such as the dynamic addition of new nodes. Due to space, power, and cost limitations, TPM is unsuitable for resource-constrained devices. Research is needed to reduce the cost and power consumption for the wide application of TPM in security. A trusted third party or certificate authority (CA) is required for the validation of digital certificate X.509. The results are also compared with other state-of-the-art methods, where our proposed model outperforms other related work in terms of computational overhead and robustness.

9. Conclusions

This paper presents a smart grid security framework through the integration of TPM into IoT devices. TPM prevents the malicious modification of firmware during the secure boot and authentication process. This framework relies on the IETF RATS attestation scheme, based on TPM2.0, to generate integrity proof and evidence that utilizes X.509 certificates loaded into IoT devices for authentication and session key generation. The certificates for IoT devices are created by the TTPs using a private key only. The security advantages of integrating TPM into IoT devices also open up the potential for more widespread use in other CPS. We have proposed integrating the Fortify-Grid mechanisms into existing standards to facilitate their adoption in the emerging smart grid.

The threat model uses the CK adversary and ROR models for security verification. A detailed security analysis using the ROR model, AVSIPA, and CK adversary model shows that our proposed scheme is safe against attacks such as man in the middle, replay, denial of service, etc. In addition, integrity measurements are only maintained in the Fortify-Grid, whereas other comparable schemes do not fulfil these requirements. Our scheme’s computational overhead is less than other popular schemes with enhanced security.