Content uploaded by Jing Liu
Author content
All content in this area was uploaded by Jing Liu on Mar 22, 2014
Content may be subject to copyright.
Accountability in Smart Grids
Jing Liu,Yang Xiao, Jingcheng Gao
Department of Computer Science
The University of Alabama
Tuscaloosa, AL 35487-0290 USA
Abstract— A feasible architectural framework for the smart
grid in home areas is provided based on the latest NIST
(National Institute of Standards and Technology, U.S.) smart
grid interoperability standards (release 1.0). In this paper, we
propose an accountable communication protocol using this
architecture with certain reasonable assumptions. Analysis
results indicate that our design makes all power loads in home
areas accountable.
Keywords-smart grid; AMI; security; accountability
I. INTRODUCTION
*Smart grid is a promising power delivery infrastructure
integrated with bi-directional communication technologies
that collects and analyzes data captured in near-real-time,
including power consumption, distribution, and transmission
[1]. According to these data, it can provide predictive
information and relevant recommendations to all
stakeholders, including utilities, suppliers, and consumers,
regarding the optimizing of their power utilization [1]. By
two-way electrical flow, consumers are able to sell their
surfeit energy back to utilities [2]. In other words, smart grid
is a complex system of systems.
Nationwide deployment and popularization of the smart
grid require decades of work. Bringing new markets into the
grid is encouraged before it can be fully accomplished. It is
worth mentioning that the interests of all stakeholders
should be considered during development. As such,
homeowners must be taken into account. Since enabling
consumer participation is a major characteristic of the
modern grid, homeowners’ considerations are extremely
important. As we know, their primary concern regarding
power usage is the monthly bill sent by their service
providers (e.g., utilities). If possible, homeowners would
rather know the details of their power usage than simply a
bill with a total consumption. Albeit the real-time, or day-to-
day, cost of electricity could be determined by the smart
meter, we still doubt its reliability. The utility, or the smart
meter itself, may alter transmitted data to suit someone’s
interests or for some other reasons (e.g., because they are
under attack). As a consequence, a homeowner could have
two different electric bills: one from the utility and one from
the smart meter. Furthermore, in smart grids, prices change
with time such that traditional billing via the total amount of
energy consumed using an average price is no longer
feasible. Therefore, the exact times when power is used are
*The corresponding author is Prof. Yang Xiao. Email:
yangxiao@ieee.org
important and should be made accountable. To solve the
above problems and to make the smart grid in home areas
reliable are the two major motivations of this paper.
In this paper, after reviewing metering systems in smart
grids, we design an accountable communication protocol for
home use that uses a peer review strategy. Under certain
assumptions, the following three major contributions are
made in this paper:
1. A smart meter can prove the correctness of any smart
appliance in a home area.
2. A group of smart appliances can prove the correctness
of the smart meter.
3. A service provider can prove the correctness of the
smart meter.
The rest of this paper is organized as follows. Section II
discusses how an accountable system for a home area smart
grid can be designed and deployed. Section III analyzes and
proves the system accountability by accountability logic.
Finally, we conclude this paper in Section IV.
II. ACCOUNTABILITY IN HOME AREA
Although the framework and blueprints of the smart grid
have been discussed in recent years [3-15], a specific
standard for its implementation is still to be determined.
Two steps therefore need to be clarified before designing an
accountable system for the smart grid in a home area: the
first is to build a possible architectural framework for its
implementation, and the second is to identify potential
security problems.
A. Architecture
Figure 1. Smart grid in home area.
Based on the smart grid characteristics and system
framework, we propose a reasonable architecture for a home
area smart grid, as shown in Figure 1. Note that it works for
the Building Area Network (BAN) and Industrial Area
Network (IAN) as well.
The 8th Annual IEEE Consumer Communications and Networking Conference - Special Session on Smart Grids - Emerging
Services and Networks
978-1-4244-8790-5/11/$26.00 ©2011 IEEE 1166
As illustrated in Figure 1, a smart meter, M, acts as a
middleman between the service provider, S, and home
appliances (e.g., A,B, and C). It is a gateway that monitors
all incoming and outgoing electricity flow. Meanwhile, it
also records power consumption and generation in home
areas. We divide electrical appliances into two categories
based on their communication capability. One refers to
smart appliances and the other to regular appliances. In our
case, only smart appliances have the ability to exchange
information or message (e.g., market price, trading price,
and consumption logs) with others, including the smart
meter. They are also capable of recording those messages.
For those regular appliances that are not interactive, the
smart meter simply monitors their activities on
corresponding power supply ports. In a modern power grid,
most families would probably equip a power generation and
storage device, denoted as G. We assume that such
equipment is a type of smart appliance. Since regular
appliances have no communication capabilities, we simply
assume that all appliances in future home areas will be smart
appliances.
B. Problem Statement
In order to clearly state our problems, conducting an
intensive study of the metering system in the home area is
essential. Conventional metering systems charge electricity
consumption according to its reading at the end of each
month, as shown Figure 2. If the meter reading says that n
kWh have been used within a month, the bill (aka. service
amount) without tax will be the product of n and a unit
average price (denoted as m dollars/kWh). Basically, m is
predefined and published by the service provider. It does not
change very often. Therefore, it can be regarded as a
constant value.
$16.36
$17.69
$19.21
$21.00
$22.28
$24.27
$30.42
Dec-09 Jan-10 Feb-10 Mar-10 Apr-10 May-10 Jun-10
0
20
40
60
80
100
120
140
Service Amount & Usa
g
e
(kWh)
Usage (kWh)
Service Amount (Cost $)
Figure 2. Conventional service amount and usage chart.
Unlike the simple conventional approach, a modern
power grid will use smart meters to read electricity usage at
a predetermined requested interval (e.g., daily, hourly, or per
minute). Those reading data will be stored locally and
transmitted to the service provider as usual. At higher levels,
the smart meter will get a real-time unit price (aka. market
price) from the service provider or other market via a bi-
directional wired or wireless network. Together with the
powerful energy management of Advanced Metering
Infrastructure (AMI), households can not only make
economic choices based on dynamic prices, but they can
also shift, load, and store or sell surplus energy. Hence,
calculating the service amount in such a new power
infrastructure is difficult.
Basically, only two key factors affect the bill: 1) the real-
time power usage and 2) the market price. Both aspects can
be obtained by the smart meter in real-time. However, we
cannot simply do a multiplication to get the service amount
since the market price is not a constant value and may vary
from time to time. For example, the price could remain high
during peak hours or high demand periods due to electricity
shortage. When outside of peak periods, it is decreased
accordingly. The price also can be affected by local weather
conditions. Continuous cloudy or rainy days may reduce the
local production of solar energy and thereby the price could
go up. But if a strong hurricane follows, the price will
reasonably fall since it enhances wind power generation at
the same time. Hence, it is hard to predict the exact market
price at a particular time and a specific location. We instead
maintain a record of fore-passed market price. Current
solutions, reported by the U.S. DOE [2], take three typical
tariff forms: time of use (TOU), critical peak pricing (CPP),
and real-time pricing (RTP). TOU pricing is solely based on
a peak or off-peak period designation. Prices are set higher
during peak hours. Under CPP, prices during peak hours
(basically some short periods within a year) are set at a
much higher level compared than under normal conditions.
RTP pricing is much more flexible, in that hourly prices are
differentiated according to the day-of or day-ahead cost of
power to the service provider. Actually, pricing in the smart
grid is still an interesting and essential open issue that must
be addressed. The author in [18] argued that a price-
response demand mechanism should be introduced in the
smart grid. Since pricing is not our primary scope in this
paper, we simply assume that the real-time market price can
be obtained in a secure and feasible way (via service
provider or third party, e.g., markets). Under such conditions,
we reasonably suppose that, given any past time t, the
market price can be determined by a function M(t). As it is a
dynamic feature, M(t) should be a non-linear and random
curve regarding time t, as illustrated in Figure 3.
Trading
Power
Appliance B
Power Usage
Appliance A
Power Usage
Market
Price
tatbtctdte
from service provider from home generation
Time
M(t)
GB(t)
EB(t)
EA(t) GA(t)
Trading
Price
T(t)
S(t)
Figure 3. Aggregation information in the smart meter.
Another possible factor affecting the service amount is
the presence of a home generated power system (e.g., wind
or solar energy). Without consideration of its own
consumption, the generated energy can be divided into two
parts: one consumed by other electrical appliances at home
while the other is sold back to the service provider. Both of
them are monitored and recorded by the smart meter. But
only the trading portion impacts the service amount. Notice
that the trading price could be the market price or even be
set by the homeowner. Here we suppose that the trading
price is a non-linear function of t and denoted as T(t), as
shown in Figure 3.
1167
Figure 3 is an example of energy usage in a modern
power grid. We denote purchased energy (from a service
provider) as E(t), self-consumed energy (from home
generation) as G(t), and trading power as S(t). They are all
functions with respect to time t. If there is no power
consumption or sale event during a period, the relevant
functions will automatically be zero. Given any time period
from ta to tb (tb˚ta), the total service amount denoted as
Bill(ta,tb) should be:
³ b
a
t
t
ba dttStTtEtMttBill )()()()(),( (1)
In equation (1), E(t) can be obtained by attaining the sum
of every individual consumption (denoted as Ei(t) where i is
the name of electrical appliance). For each appliance i, the
service amount from ta to tb (tb˚ta), denoted as Billi(ta,tb),
can be determined by the following equation:
³ b
a
t
tibai dttEtMttBill )()(),( (2)
Equation (1) can thus be rewritten as:
³
¦
b
a
t
t
BAi
baiba dttStTttBillttBill )()(),(),(
,...,
(3)
From the above, it is not difficult to see that computing
service amounts in a smart grid is indeed a complicated
procedure. Many factors in the smart meter can affect the
final bill. Any alternation, forgery, delay, or removal of
those historical records may lead to a different price.
Although we could equip secure smart meters to enhance
reliability, homeowners or cyber attackers may still
manipulate the smart meter for their own interests. In
addition, when the service provider brings alternative bills to
a homeowner, who should we trust? Since most service
providers rely on meter readings, to ensure a secure and a
reliable smart meter is our primary task.
We consider an entity as correct only if it strictly follows
a given protocol. Otherwise, we regard it as faulty. Here we
use smart appliances as witnesses to prove that the smart
meter is correct. The witness idea was inspired by the
PeerReview system [19]. In this case, three new problems
should be addressed. First, a smart appliance itself may have
errors or be controlled by a malicious person. To make every
faulty smart appliance detectable is necessary (Challenge 1).
Second, since appliances have limited capabilities for
communication and storage, to design a feasible, observable
mechanism for witnesses is also required (Challenge 2).
Third, home generated power is managed by the smart meter
only. Other smart appliances do not know where the power
load comes from: it may be supplied by the free home
generation, or purchased from the service provider. Without
supervision, the smart meter may deny that during a certain
period an appliance was using power from the service
provider (Challenge 3). In the following sections, we will
describe our design of accountable AMI that addresses these
challenges.
C. Terms and Assumptions
Before specifying our communication protocol, several
terms and assumptions should be addressed as follows:
Terms
-{A,B, …}: a set of communication participants in
the smart grid, known as principals. Specifically, M
stands for the smart meter, G represents as the home
generation and storage device, and S refers to the
service provider.
-{m,m’,n}: a set of messages or message
components.
-{ti | i = a,b, …}: a set of time points.
-{Ki,Ki
-1}: a pair of public/private keys of principal i.
-{m}Ki:m encrypted with the public key of principal i.
-{m}Ki
-1:m encrypted or signed with the private key
of principal i.
Assumptions:
1. Every electrical appliance i in the home area is a
smart appliance with sufficient storage space and a
constant capacity factor Pi (kW).
2. The running state of every smart appliance (e.g., on
or off) is known by the others in real-time.
3. Functions of market price M(t) and trading price T(t)
are authenticated by the service provider. Every
smart appliance shares these functions at the same
time.
4. There is a function w that maps each appliance to its
set of witnesses. We suppose that, for any appliance
i in a home area, the set {i}Ĥw(i) contains at least
one correct smart appliance.
5. A message sent from one correct appliance to
another will eventually be received.
6. Each involved communication principal uses PKI
technology to identify itself; they can sign messages,
but a faulty principal cannot forge the signature of
correct one.
7. A home generation and storage device G must
record its own power load truthfully.
Assumption 2 depends on circuit/communication designs
which may be achieved by particular sensor units in the
smart grid. For simplicity, we suppose that Assumption 2
can be met. More specifically, we suppose that there is a
function Ri(t) that records the running state of appliance i.
When t is within the running period of i,Ri(t) is granted to 1;
otherwise, Ri(t) is set to 0.
D. Accountable Protocol
Since the power usage of appliance i can be determined
by its capacity factor Pi and running state Ri(t), the equation
(2) for its market service amount can be rewritten as:
³ b
a
t
tiibai dttRtMPttMPA )()(),( (4)
According to equation (4), if any principal j (j i) holds
Pi,M(t), and Ri(t) at the same time, j is able to determine i’s
market service amount for any past period. Notice that j still
does not know the exact service amount of i, since j has no
knowledge of i’s power source. If i were using home
generated power all the time, i’s service amount would be
zero. For auditing, i’s market service amount can also be
specified by:
³ b
a
t
tiibai dttGtEtMttMPS )()()(),( (5)
Next, we borrow some ideas from the PeerReview
system [19]. Given any period from ta to tb,MPAi(ta,tb)
should equal MPSi(ta,tb). Based on this fact, we can design a
deterministic mechanism to detect faulty principals in a
home area. Under our proposed architecture, each appliance
i has two modules for accountability: a log module Li and a
detector module Di.Li generates a complete evidence log of
i’s power usage. Di checks other logs to tell whether faults
are, or are not, present. Informally, faulty(j) is issued when i
can prove that j is abnormal; suspected(j) is raised when i
has not received an expected message from j on time;
1168
correct(j) is released otherwise. Our design therefore
follows the following protocols:
xWhen a new appliance i is plugged in, i will sign Pi
with its unique signature Ki
-1 and broadcast {Pi}Ki
-1
among all principals in the home area.
xThe smart meter will notify each appliance as to
whether or not it currently uses home generated power.
xEvery appliance has one copy of its own log, which is
ensured by the tamper-evident log mechanism [19];
other logs will be retrieved when required. Appliances
exchange just enough messages to prove themselves.
xEach appliance is mapped to several other appliances.
They act as witnesses that collect its log, check its
correctness, and report the results to the rest of the
system.
xA commitment protocol [19] is adopted to ensure that
witnesses will retrieve exactly the same log as the
target appliance owns. It also guarantees that no one
can deny a received message.
xThis protocol uses a challenge/response protocol [19]
to address the problem that some appliances do not
respond or fail to acknowledge that messages were
successfully sent.
Next, we will demonstrate how it works in detail.
Initially, every new appliance i will be assigned a set of
witnesses wi by the smart meter. Then, i will sign Pi with its
unique signature Ki
-1 and send {Pi}Ki
-1 to the smart meter
and each member of wi. When i is running, Li generates a
tamper-evident log to record its power usage. Since the
smart meter will notify i regarding its power source, the log
will record both Ei(t) and Gi(t). In order to check whether i is
correct or not, each witness of wi will periodically request its
most recent log segment. Suppose that the last audit time is
ta and the current time is tb. In this case, i first requests and
records the latest M(t) and T(t) from the smart meter. Then it
sends back all the log entries since time ta, together with the
corresponding market service amount determined by
equation (5). Specifically, the response message mi should
be {ta,tb,Ei(t),Gi(t),MPSi(ta,tb)}Ki
-1. When a witness j
(jwi) receives mi,Dj will recalculate i’s market service
amount MPAi(ta,tb) by equation (4) according to its own
records of Pi,M(t), and Ri(t) (refer to assumptions 1, 2, and
3). If MPAi(ta,tb) is a verified MPSi(ta,tb) (using Ki to verify
mi), Dj will issue correct(i); otherwise, faulty(i) is issued
(Challenge 2 is addressed). Since we use a
challenge/response protocol here, every appliance i must
respond to the requests from its witnesses, or else
suspected(i) will be indicated. We also adopt the
commitment protocol here, so that all signed messages are
evidence against faulty appliances. Because there is always a
correct witness j within wi (Assumption 4) and all delivered
messages will be received (Assumption 5), a faulty
appliance i will eventually be exposed by Dj with its
indicators: suspected(i) or faulty(i) (Challenge 1 is
addressed).
To deal with Challenge 3, we consider all appliances in
the home area as witnesses of the smart meter. When
suspicious are raised against the smart meter, the third party
(e.g., the service provider) will retrieve all evident logs
regarding Gi(t) from each home appliance i, together with
the self-consumed energy record G(t) from the home
generation and storage device G. Since every principal uses
tamper-evident logs to record its behavior, any mismatch
between Gi(t) and G(t) will prove that the smart meter is not
correct according to Assumptions 4 and 7.
The protocol described so far has addressed the three
aforementioned challenges. Convinced evidences are able to
eliminate the questionable charges on the final bill. As the
message latency, throughput, and traffic overhead, the paper
[19] has shown that this peer review mechanism is scalable
in distributed system based on experiments and
mathematical analysis.
III. PROTOCOAL ANALYSIS
In this section, we will analyze the accountability of our
protocol by using the same analysis method as in [17]. First,
it defines accountability goals. Then it will interpret every
message into a logical description. After that, the initial
assumptions will be restated in a logical way. Based on the
logic described in [17], we can eventually prove that our
protocol can achieve all accountability goals by using the
message interpretation and the initial assumptions.
A. Temporal Accountability Goals
We present accountability goals for our proposed
protocol based on the definitions and three challenges stated
in Section II. Suppose that X is any appliance in the home
area and that Y is X’s witness. The goals can therefore be
described as follows:
G1:M CanProve (X is faulty or correct)
G2:X CanProve (M is faulty or correct)
G3:Y CanProve (X is faulty or correct)
G4:S CanProve (M is faulty or correct)
B. Message Interpretation
Since an unsigned message has no effect on the
achievement of goals in accountability logic, we only
consider signed ones. The message flows can therefore be
interpreted as follows:
1) M Receives ({PX} SignedWith KX
-1)
2) Y Receives ({PX} SignedWith KX
-1)
3) X Receives ({ta,tb,EX(t),GX(t),
{M(t),T(t)} SignedWith KS
-1} SignedWith KM
-1)
4) Y Receives ({ta,tb,
{M(t),T(t)} SignedWith KS
-1} SignedWith KM
-1)
5) Y Receives ({ta,tb,EX(t),GX(t),MPSX(ta,tb)}
SignedWith KX
-1)
6) S Receives ({{Gi(t)} SignedWith Ki
-1|iall
appliances},
{G(t)} SignedWith KG
-1,)
C. Initial Assumptions
The initial state assumptions required in the analysis are:
A1:Y Receives ({PX} SignedWith KX
-1) =>
(Y CanProve (PX isTrusted))
A2:X Receives ({EX(t),GX(t)} SignedWith KM
-1) =>
(X CanProve ({EX(t),GX(t)} isTrusted))
A3:X Receives ({M(t),T(t)} SignedWith KS
-1) =>
X CanProve (M(t) isTrusted) and (T(t) isTrusted)
A4:Y CanProve (Ri(t) isTrusted)
A5:S CanProve (G(t) isTrusted)
D. Protocol Analysis
xMessage 1:
When M receives message 1, M knows it was sent by X
based on its unique signature. Since M can monitor X’s
power usage, PX can be verified by M. If PX is not true, M
can claim X is faulty. Otherwise, M can prove the following
statement by applying the accountability postulate [16, 17].
1169
M CanProve (X says PX) and (PX isTrusted)
When a suspicion is issued against PX, this statement can
be used as evidence to prove (PX isTrusted). This is the
accountability goal G1.
xMessage 2:
Y receives message 2 at the same time as M.Y can prove
the following statement by applying the accountability
postulate and A1.
Y CanProve (X says PX) and (PX isTrusted)
When a suspicion is issued against PX, this statement can
be used as evidence to prove (PX isTrusted). This is the
accountability goal G3.
xMessage 3:
Message 3 is required when Assumption 3 is made. X
will periodically request message 3 from M. Since X knows
its total power consumption costab during the period from ta
to tb, X can verify EX(t) and GX(t) by comparing their
summation with costab.Faulty(M) will be issued if the result
is not equal. This is the accountability goal G2. Then X can
prove the following statement by applying the accountability
postulate, A2, and A3.
X CanProve ({EX(t),GX(t),M(t),T(t)} isTrusted)
When a suspicion is issued against EX(t), GX(t),M(t), and
T(t), this statement can be used as evidence to prove ({EX(t),
GX(t),M(t),T(t)} isTrusted).
xMessage 4:
Message 4 is similar to message 3. By recording
message 4, Y can prove the following statement by applying
the accountability postulate and A3.
Y CanProve (M(t) isTrusted) and (T(t) isTrusted)
When a suspicion is issued against M(t) and T(t), this
statement can be used as evidence to prove that they are both
trusted. This is also the accountability goal G2.
xMessage 5:
Message 5 is a key to achieving accountability goal G3.
When Y receives message 5, DY will process the auditing of
this message. Together with the statements from messages 2
and 4, Y can eventually prove the following statement by
applying the accountability postulate and A4.
Y CanProve (X is faulty or correct)
By combining all such statements from every appliance,
the accountability goal G2 will also be achieved.
xMessage 6:
Through checking the difference between G(t) and the
summation of Gi(t) for each appliance i,S can easily verify
whether or not they are equal. If the answer is no, S will
issue faulty(M) based on A5. Therefore, S can prove the
following statement by using the message 6:
S CanProve (M is faulty or correct)
This is the accountability goal G4.
IV. CONCLUSION
A feasible architectural framework for the smart grid in
home areas has been presented based on the latest NIST
smart grid interoperability standards (release 1.0). This
paper has designed an accountable communication protocol
using the proposed architecture with certain reasonable
assumptions. Analysis results indicate that such a design
makes all power loads in home areas accountable.
ACKNOWLEDGEMENT
This work was partially supported by the US National
Science Foundation (NSF) under grant numbers: CNS-
0737325,CNS-0716211, and CCF-0829827.
REFERENCES
[1] Cisco Systems, Inc., “Internet protocol architecture for the smart
grid,” White Paper, July 2009, available at:
http://www.cisco.com/web/
strategy/docs/energy/CISCO_IP_INTEROP_STDS_PPR_TO_NIST_
WP.pdf.
[2] U.S. DOE, “Smart grid system report,” White Paper, July 2009,
available at:
http://www.oe.energy.gov/SGSRMain_090707_lowres.pdf.
[3] U.S. NETL, “Advanced metering infrastructure,” White Paper, Feb.
2008, available at: http://www.smartgrid.gov/white_papers.
[4] U.S. NIST, “NIST framework and roadmap for smart grid
interoperability standards, release 1.0,” NIST Special Publication
1108, Jan. 2010, available at:
http://www.smartgrid.gov/standards/roadmap.
[5] West Virginia Division of Energy, “West virginia smart grid
implementation plan,” U.S. DOE/NETL Report, Aug. 2009,
available at: http://www.smartgrid.gov/reports.
[6] U.S. NETL, “A systems view of the modern grid,” White Paper, Jan.
2007, available at: http://www.smartgrid.gov/white_papers.
[7] A. Clark and C. J. Pavlovski, “Wireless networks for the smart
energy grid: application aware networks,” in: Proc. IMECS 2010.
[8] J. Gadze, “Control-aware wireless sensor network platform for the
smart electric grid,” IJCSNS International Journal of Computer
Science and Network Security, vol. 9, no. 1, Jan. 2009, pp. 16-26.
[9] D. Dvian and H. Johal, “A smart grid for improving system
reliability and asset utilization,” CES/IEEE 5th International Power
Electronics and Motion Control Conference, Shanghai, China,
August 2006, pp. 1-7.
[10] G. N. Srinivasa Prasanna, A. Lakshmi, S. Sumanth, V. Simha, J.
Bapat, and G. Koomullil, “Data communication over the smart grid,”
in: Proc. ISPLC 2009, Dresden, 2009, pp. 273-279.
[11] H. A. Khan, Z. Xu, H. Iu, and V. Sreeram, “Review of technologies
and implementation strategies in the area of smart grid,” in: The 10th
Postgraduate Electrical Engineering and Computing Symposium,
IEEE WA Section, Perth, Australia, Oct. 2009.
[12] A. Cavoukian, J. Polonetsky, and C. Wolf, “SmartPrivacy for the
smart grid: embedding privacy into the design of electricity
conservation,” Identity in the Information Society, Springer
Netherlands, ISSN: 1876-0678, Apr. 2010.
[13] S. Spoonamore and R. L. Krutz, “Smart grid and cyber challenges –
national security risks and concerns,” March 2009, avaliable online:
http://www.whitehouse.gov/files/documents/cyber/Spoonamore-
Krutz - Smart Grid CyberSecurity Risks and Concerns.pdf.
[14] P. McDaniel and S. McLaughlin, “Security and privacy challenges in
the smart grid,” IEEE Security and Privacy, vol. 7, no. 3, May/June
2009, pp. 75-77.
[15] W. F. Boyer and S. A. McBride, “Study of security attributes of
smart grid systems – current cyber security issues,” DOE Scientific
and Technical Information Report, Apr. 2009, available at:
http://www.inl.gov/technicalpublications/Documents/4235623.pdf.
[16] R. Kailar, “Accountability in electronic commerce protocols,” IEEE
Transactions on Software Engineering, vol. 22, no. 5, May 1996, pp.
313-328.
[17] M. Kudo, “Electronic submission protocol based on temporal
accountability,” in Proceedings of the 14th Annual Computer
Security Applications Conference, 1998, pp. 353-363.
[18] H. Chao, “Price-responsive demand management for a smart grid
world,” The Electricity Journal, vol. 23, issue 1, 2010, pp. 7-20.
[19] A. Haeberlen, P. Kouznetsov, and P. Druschel, “PeerReview:
practical accountability for distributed systems,” ACM SIGOPS
Operating Systems Review, vol. 41, issue 6, 2007, pp. 175-188.
1170