A zero-trust based scheme for detecting illegal terminals in the Internet of Things of smart grid

Unified identity management platform

Currently, many scholars at home and abroad are committed to the research of illegal device detection in power IoT: Fernandez & Brazhuk (2024) propose a power IoT smart terminal security protection technology to detect illegal power assets by analysing base station location position and device fingerprints; Hussain, Farooq & Ustun (2020) propose an association data authentication encryption algorithm to achieve the integrity and confidentiality of Generic Object Oriented Substation Event (GOOSE) messages; Chen et al. (2020) propose an integrated terminal identity authentication technology, which combines the collected user identity information with the device fingerprint to form a unique identifier that cannot be replicated, and achieves accurate detection of the legitimacy of power terminals; La, hao & Zhang (2022) propose a power terminal security authentication scheme based on SM9 threshold signatures, which achieves lightweight verification of the legitimacy of power terminals; Yang et al. (2023) propose an edge computing-oriented power terminal lightweight authentication protocol for edge computing, which reduces computation and communication overheads on the basis of effective verification of terminal legality.

The above research on detecting illegal devices in power IoT ensures the legitimacy of the access Device. However, the nature of this security authentication mechanism is “once authenticated, always trusted”, which has serious security risks.

Current research status of electric power network security solutions based on zero trust architecture

The zero-trust concept was originally born in the Jericho Forum (2020) and was formally introduced by John Kindervag in 2010. The generic model of zero-trust architecture mainly consists of authentication and management of access subjects, dynamic trust analysis and evaluation, and secure access decision and control.

In recent years, the application of zero-trust architecture has been studied in the field of power system security, but has not yet been applied on the ground. Table 1 shows the comparison of existing zero trust solutions. Liu et al. (2021) propose proposes a zero-trust-based power grid security protection model, which mainly contains trusted access agent, dynamic trust level assessment and security access control. It proposes a trust assessment algorithm that calculates the trust level based on the deviation between the feature information and the benchmark value in the trust level assessment module, but it does not explain the method of obtaining the benchmark value. Liu et al. (2020) propose a zero-trust-based energy Internet security protection architecture, which mainly includes four aspects: terminal access control, dynamic authorisation management, unified identity management and security as a service. It proposes a method of calculating the current trust measure value based on the historical trust level and risk level in the terminal access control part, but does not state the calculation method of the risk level of the key factors. Jiang et al. (2023) propose proposes an electric power IoT security access method based on the zero-trust architecture, which mainly includes the IoT terminal identity management and authentication and dynamic access control. It proposes a continuous trust assessment method based on the ratio of normal and abnormal events in the dynamic access control module, but it does not state the assessment criteria of whether the events are abnormal or not.

For this reason, in the illegal terminal detection scheme based on zero-trust architecture proposed in this article, it focuses on three aspects, namely, smart device authentication, continuous trust assessment method for sessions, and dynamic access control, in order to cope with the insider threat posed by the out-of-touch terminal.

Unified identity management platform

Identity authentication technology is an effective solution to guarantee information security. Currently, most of the device authentication in power IoT is based on the traditional public key infrastructure method. These approaches create a certificate for each end device and exchanges certificates during authentication to check the legitimacy of the end identity. However, they have cumbersome certificate exchanges, making the authentication and management system very complex. With the access of a large number of terminal devices, it is difficult for them to respond quickly to the authentication request of each terminal.

For this reason, the proposed method establishes a unified identity management platform, verifies the data reliability and identity legitimacy of smart terminals based on identity identification, and manages user identity information in a unified manner. The identity management platform consists of a user identification information database, a user public key database and a digital signature verification algorithm module. Among them, the identity information of smart devices is collected and stored in advance to the user identity information database; the user public key is generated and issued by the third-party trusted platform according to the user identity information. When the smart device sends out an access request, the identity management platform receives the uplink access data forwarded by the device agent and access control engine, verifies the reliability of the digital signature and the legitimacy of the identity, and uniformly stores and man-ages the device identity information.

The identity authentication mechanism is shown in Fig. 4, and the specific steps are as follows:

1. Third-party trusted platform key generation and management. The third-party trusted key management platform, i.e., the key generation centre, undertakes key generation and management functions, generates the initial master private key and master public key through the random number generator, and generates the user’s private key and user’s public key and sends them out according to the user’s request for key generation, combining the user’s identity with the master private key;

2. The local device agent obtains the access request from the smart device and performs digital signature. After the intelligent device sends an access request, the local device agent obtains the request and requests the user private key from the key generation centre according to the corresponding user identification (i.e., device number), then digitally signs the data requested for upstream transmission according to the user private key, and finally upstream transmits the digital signature and service data to the access control engine;

3. The access control engine forwards the digital signature and service data to the unified identity management platform;

4. The unified identity management platform verifies the identity of the smart device. The unified identity management platform requests the key generation centre to generate a public key according to the corresponding user identification and stores it in the user public key database, and then verifies the reliability of the digital signature in the digital signature verification algorithm module, i.e., verifies the authenticity and integrity of the received data and checks whether the identity of the device that sends this data is legal.

The authentication mechanism is designed as an embedded module, which facilitates flexible replacement of the authentication scheme. We select SM9 (La, hao & Zhang, 2022; Yuan & Cheng, 2016) cryptosystem as an authentication module embedded in the authentication platform. The core of SM9 is an asymmetric algorithm based on binary linear pairs, which has higher computational complexity and improves the level of security protection of identity information; at the same time, the system calculates and generates the user key pairs according to the user identification, the master public key, the master private key and the public parameter, and does not need to apply for and exchange digital certificates, which reduces the complexity of the key management and use in the identity authentication. The embedded module approach makes the selection of authentication schemes more flexible. In practical applications, the authentication scheme can be flexibly changed according to user requirements, such as RSA (Burkhardt et al., 2023), AES (Aharoni et al., 2023), etc., to meet specific encryption standards.

Continuous confidence assessment platform

The trust assessment mechanism is an effective programme for controlling access in network security. Currently, most smart substations follow the secure communication mechanism of “one-time authentication, continuous trust”. This mechanism establishes communication between security-authenticated smart devices and the IoT management platform, and always trusts the access device until the end of communication. However, the current internal environment of the power system is not completely reliable, smart devices that have already established communication may be exploited. In response to such malicious behaviours such as carrying out data tampering and overstepping access rights, it is difficult for traditional trust mechanisms to detect abnormalities in a timely manner.

In this regard, the proposed method is based on the concept of zero trust, following the “never trust, always verify” trust mechanism (BILGERB, 2013), and establishes a continuous trust assessment platform to continuously assess the trustworthiness of access devices. The goal of trust assessment is to detect whether there is any abnormality in the current device, and the judgement criterion is whether the device deviates significantly from the normal communication behaviour during the continuous assessment process. To assess the communication behaviour of the device, the communication characteristic value of the device is extracted. In normal service communication, the device transmits data upstream at a stable frequency, the ratio of nodes receiving packets and sending packets is constant, the network delay does not change much, and the difference in device communication time is small. Therefore, the node packet delivery rate, average delay, and average communication time are extracted as communication eigenvalues. The communication eigenvalues are defined as shown in Eqs. (1)–(3), the packet delivery rate $P_{ratio}$ denotes the ratio of received packets to sent packets per unit of time T, the average delay $P_{delay}$ denotes the average value of service communication delay per unit of time T, and the average communication time $P_{message}$ denotes the average value of communication time per unit of time T.

(1) $$P_{ratio}={\displaystyle \frac{\sum _{i=1}^{T}Re{c}_i}{\sum _{i=1}^{T}Sen{d}_i}}$$

(2) $$P_{delay}={\displaystyle \frac{1}{T}\sum _{i=1}^{T}Dela{y}_i}$$

(3) $$P_{message}={\displaystyle \frac{1}{T}\sum _{i=1}^{T}Me{s}_i.}$$

The trust evaluation mechanism calculates the deviation of the feature vector of the current device from the other devices in the current unit of time based on the communication feature vector P( $P_{ratio}$, $P_{delay}$, $P_{message}$), and then calculates the deviation of the communication feature vector between the current device and its history time. If there is a significant deviation in the communication feature vector of the current device, it indicates that its communication behaviour is abnormal and the device is untrustworthy.

In this article, based on the idea of mean drift (Okade & Biswas, 2013), we propose a trust assessment method based on centroid drift to build a dynamic detection model for the data, which does not need to make trade-off judgements on the data when building the model, and overcomes the influence of outliers. The core idea of the algorithm is to replace the communication feature vector P of a device with the centroid P′ ( $P_{ratio}^{\mathrm{\prime }}$, $P_{delay}^{\mathrm{\prime }}$, $P_{message}^{\mathrm{\prime }}$) of its k-nearest-neighbours’ feature vectors, and then compute the feature vector move distance, and finally compute the device trust value based on the move distance. Where the centroid of the feature vector of the nearest neighbour of device k is calculated as shown in Eqs. (4)–(6).

(4) $${\mathrm{P}}_{ratio}^{\mathrm{\prime }}={\displaystyle \frac{max\left({\mathrm{P}}_{ratio}^i\right)+m\mathrm{i}n\left({\mathrm{P}}_{ratio}^i\right)}{2},i=1,2,\dots ,k}$$

(5) $${\mathrm{P}}_{delay}^{\mathrm{\prime }}={\displaystyle \frac{max\left({\mathrm{P}}_{delay}^i\right)+m\mathrm{i}n\left({\mathrm{P}}_{delay}^i\right)}{2},i=1,2,\dots ,k}$$

(6) $${\mathrm{P}}_{message}^{\mathrm{\prime }}={\displaystyle \frac{max\left({\mathrm{P}}_{message}^i\right)+m\mathrm{i}n\left({\mathrm{P}}_{message}^i\right)}{2},i=1,2,\dots ,k.}$$

The distance travelled when the device communication vector P is replaced with the centre point P′ is calculated as shown in Eq. (7).

(7) $$D=\sqrt{{\left(\mathrm{\Delta }{P}_{ratio}\right)}^2+{\left(\mathrm{\Delta }{P}_{delay}\right)}^2+{\left(\mathrm{\Delta }{P}_{message}\right)}^2}$$

$$\mathrm{\Delta }{P}_{ratio}=P_{ratio}^{\mathrm{\prime }}-P_{ratio}$$

$$\mathrm{\Delta }{P}_{delay}=P_{delay}^{\mathrm{\prime }}-P_{delay}$$

$$\mathrm{\Delta }{P}_{message}=P_{message}^{\mathrm{\prime }}-P_{message}.$$

The confidence level is calculated as shown in Eqs. (8) and (9), where ${\epsilon }_{\delta }$ is used to describe the empirical parameters.

(8) $$T={\displaystyle \frac{1}{1+{\mathrm{e}}^{-\delta +D}}\mathrm{\Delta }{P}_{ratio}=P_{ratio}^{\mathrm{\prime }}-P_{ratio}}$$

(9) $$\delta ={\displaystyle \frac{1}{n}\sum _{i=1}^n\sqrt{D^i}+{\epsilon }_{\delta },i=1,2,\dots ,n.}$$

At this point, the value of trust degree is in the range of (0,1), and the higher the outlier value of the device, the higher the trust degree. When the trust degree is higher than 0.5, then this device can be trusted, otherwise the device cannot be trusted.

The algorithm for continuous trust assessment based on centroid drift is shown below:

1. Calculate the current trustworthiness value of the smart device based on the communication feature values.

• The platform obtains the incoming smart device access request from the access control engine, and extracts the communication feature values of the current access device according to Eqs. (1)–(3), which are noted as ${\mathrm{P}}_{ratio}^{\ast }$, ${\mathrm{P}}_{delay}^{\ast }$ and ${\mathrm{P}}_{message}^{\ast }$, respectively;

• Obtain the communication feature values of the current n access devices, noted as ${\mathrm{P}}_{ratio}^i,{\mathrm{P}}_{delay}^i,{\mathrm{P}}_{message}^i\left(i=1,2,\dots ,n\right)$;

• Find the k-nearest neighbours of each device and compute the centroid ${\mathrm{p}}^{i^{\mathrm{\prime }}}\left({\mathrm{P}}_{ratio}^{\mathrm{\prime }},{\mathrm{P}}_{delay}^{\mathrm{\prime }},{\mathrm{P}}_{message}^{\mathrm{\prime }}\right)$ of the k-nearest neighbours. In each iteration, the k-nearest neighbours of the ith device are found and the centroid is calculated according to Eqs. (4)–(6). Where k is selected by choosing a value proportional to the amount of data n (Yang, Rahardja & Fränti, 2021) as shown in Eq. (10):

  (10) $$k=2\times \left[5\times {\displaystyle \frac{\log \left(n\right)}{2}}\right]+1.$$

• The device communication point ${\mathit{p}}^{{\mathit{i}}^{\mathbf{\prime }}}\left({\mathrm{P}}_{ratio}^{i^{\mathrm{\prime }}},{\mathrm{P}}_{delay}^{i^{\mathrm{\prime }}},{\mathrm{P}}_{message}^{i^{\mathrm{\prime }}}\right)\left(i=1,2,\dots ,n\right)$ is replaced with the device’s k-nearest-neighbour centroid ${\mathbf{p}}^{{\mathit{i}}^{\mathbf{\prime }}}\left({\mathrm{P}}_{ratio}^i,{\mathrm{P}}_{delay}^i,{\mathrm{P}}_{message}^i\right)$. Calculate the current device ${\mathit{P}}^{\mathbf{\ast }}(P_{ratio}^{\ast }$, $P_{delay}^{\ast },P_{message}^{\ast })$ k nearest neighbour centroid ${\mathbf{p}}^{{\mathbf{\ast }}^{\mathbf{\prime }}}({\mathrm{P}}_{ratio}^{{\ast }^{\prime }}$, ${\mathrm{P}}_{delay}^{{\ast }^{\prime }},{\mathrm{P}}_{message}^{{\ast }^{\prime }})$ according to Formulas (4)–(6). Finally the outliers $D^{\ast }$ of the communication point ${\mathit{P}}^{\mathbf{\ast }}$ are calculated according to Eq. (7);

• Calculate the real-time trust value $T_1$ of the current device according to Eqs. (8) and (9).The value range of trust is [0,1], and the larger the outlier value of the device is, the higher the trust is. When the outlier value is equal to the threshold value, the trust degree value is 0.5, i.e., 0.5 is the trust degree threshold value, and the device can be trusted when its trust degree is not lower than 0.5, otherwise it cannot be trusted.

2. Calculate the historical trust value of the smart device based on the historical data.

• Find the historical data in the server and obtain the communication characteristic value of the current access device in the past k unit time;

• Calculate the k nearest-neighbour centroids of the device’s historical communication points according to Eqs. (4)–(6);

• Calculate the device historical trust value $T_2$ according to Eqs. (7)–(9).

3. Calculate the smart device trust value and assess the trustworthiness.

• Calculate the total smart device trust value based on $T_1$, $T_2$ as shown in Eq. (11):

(11) $$T={\displaystyle \frac{T_1+T_2}{2}.}$$

• The range of the total device trust value is [0,1], when the trust value is lower than the threshold value of 0.5, the system considers this device untrustworthy and does not allow it to continue communication.

The continuous trust evaluation platform constructs a dynamic outlier detection model based on the trust degree calculation method of centre point drift, continuously evaluates the trustworthiness of the access device, and transmits it to the security protection system. The security protection system detects the trustworthiness value in real time, and if the trustworthiness is lower than the security threshold, it immediately disconnects the communication and controls the abnormal equipment in order to improve the sensitivity of abnormality detection and the level of communication security.

Especially, to balance trust assessment accuracy with system performance, we propose a mechanism for dynamically adjusting the granularity of trust assessments. we classify devices into different categories based on their importance and risk levels, and implement tailored trust assessment schemes accordingly. For high-importance devices, we employ a fine-grained trust assessment approach, which continuously monitors their trustworthiness and detects any potential abnormal behaviors in real time. In contrast, for devices of lower importance, we adopt a coarse-grained assessment strategy, incorporating an incremental evaluation mechanism as well as a trust level caching mechanism. Initially, a trustworthiness value is assigned to each device upon its first access, and this value is cached for subsequent use. The reassessment process is only triggered when there is a change in the device’s behavior. This approach effectively reduces resource consumption while maintaining an optimal balance between assessment accuracy and performance.

Access control engine

Access control mechanism is an important measure to maintain data security and order. Currently, most of the access control mechanisms in substations are static, generating device access policies based on the access requests and security verification results of smart devices and restricting them from accessing the IoT management platform according to fixed permissions. However, due to the dynamic nature of contextual characteristics of power IoT, dynamic access policies are needed to meet its dynamic access characteristics. Static access control mechanisms cannot meet this need.

To achieve dynamic access control, the proposed method builds an access control engine. The engine generates real-time access policies and dynamically enforces them based on the results of device authentication and continuous trust evaluation to achieve dynamic access control. The access control engine consists of a policy administrator (PA), a policy engine (PE) and a policy enforcement point (PEP). Among them, PA is mainly re-sponsible for real-time monitoring and control of communications by issuing commands to relevant PEPs, PE is mainly responsible for generating real-time access policies, and PEP is mainly responsible for enabling, monitoring, or terminating the communication connection between the subject and the object.

The working mechanism of the access control engine is shown in Fig. 5, and the specific steps are as follows:

1. PA establishes communication with PE to generate access policy. First, after PA obtains the access request forwarded by the local device agent in the data plane, it establishes communication with the policy engine PE, forwards the device access re-quest, and waits for the policy generation. Then, the PE establishes communication with the unified identity management platform to obtain the smart device identity authentication results, i.e., whether the current device access data is complete and whether the device identity is legitimate. At the same time, the PE establishes communication with the continuous trust assessment platform to obtain the real-time trust value of the smart device. Finally, the PE generates a real-time access policy based on the authentication and trust assessment results: when the device identity is authenticated and the trust level is higher than the threshold, the communication is allowed, otherwise the communication is denied or interrupted and transmitted to the PA;

2. PA establishes communication with PEP and dynamically enforces the access policy. Firstly, PA sends corresponding commands to PEP according to the real-time access policy. Then, PEP executes various kinds of instructions issued by PA, including establishing subject-object communication sessions, rejecting subject-object session re-quests, blocking established sessions, etc. After PEP completes the instruction execution, it feeds back instruction execution information to PA;

3. PA continuously communicates with PEP and PE to perform continuity trustworthiness assessment of the session. PEP continuously monitors the session, obtains real-time communication data of the accessing subject, and continuously feeds back communication data and communication parameters of the accessing device to PA. Then, PA, PE, and PEP continuously generate real-time access policies and execute them according to the working mechanism of process (1) and (2) to achieve dynamic access control.

Dynamic access control mechanism monitors communications in real time, generates real-time access policies and enforces them according to the results of identity authentication and real-time trust assessment, and carries out access control in a dynamic way, which can meet the dynamic access characteristics of the Internet of Things in electric power.

Application programme

The application of the proposed method to power systems is confronted with several key challenges, which are outlined as follows: (1) the potential incompatibility of legacy devices with the proposed framework; (2) the high costs associated with continuous trust evaluation for each device; (3) the limitations in scalability imposed by the utilization of the SM9 state secret algorithm; and (4) the inherent complexity of implementing a zero-trust model in the context of real-time operations of power systems. Consequently, this section provides a detailed discussion of these issues.

Security detection effectiveness experiment

The experimental test index is the security verification results, and the test results are shown in Table 3. A total of 100 groups of samples are set for the experiment, including 26 groups of abnormal data. According to the experimental results, the empirical parameters are constantly revised. When the empirical parameter takes the value of 0.22, the anomaly detection rate is 96.15%, and the security verification accuracy rate is 98.6%. The experimental results show that by selecting the appropriate empirical parameter, the security detection of the illegal device detection system for access devices is more accurate, and the detection model is less affected by the abnormal values.

Time delay experiment

The real-time generation of dynamic access policies can introduce delays, particularly in large Internet of Things (IoT) networks, where real-time responsiveness is of paramount importance. In critical infrastructures such as power grids, even minimal delays can precipitate significant operational issues. To assess whether the zero-trust framework contributes to such delays, we compare our proposed approach with the traditional Attribute-Based Access Control (ABAC) model. Specifically, we evaluate the average decision-making time of both models, as illustrated in Fig. 7, and the accuracy of their interactions, as shown in Fig. 8. The experimental results indicate that our approach achieves a notably higher interaction correctness rate compared to the traditional ABAC model. While trust evaluation plays a central role in our model, directly influencing its overall performance, the decision-making time in our model is slightly longer than that of the ABAC model. However, as the volume of data increases, the time delay tends to stabilize, and this delay remains within acceptable limits.