Multi-vendor Penetration Testing in the Advanced Metering Infrastructure: Future Challenges DIMACS Workshop on Algorithmic Decision Theory for the Smart Grid Stephen McLaughlin - Penn State University Systems and Internet Infrastructure Security Laboratory (SIIS) Page 1 Tuesday, October 19, 2010
Meter Data Management (for the last 100 years) Systems and Internet Infrastructure Security Laboratory (SIIS) Page 2 Tuesday, October 19, 2010
Meter Data Management (now and in the near future) One Day 18 16 14 12 10 8 6 4 7 2 6.5 6 0 00:00 04:00 08:00 12:00 16:00 20:00 00:00 One Hour 5.5 5 Kw 4.5 4 3.5 3 2.5 2 18:00:00 18:10:00 18:20:00 18:30:00 18:40:00 18:50:00 19:00:00 Systems and Internet Infrastructure Security Laboratory (SIIS) Page 3 Tuesday, October 19, 2010
G Meter Data Management (now and in the near future) One Day 18 Peak Transient Peak Usage Peak Usage 16 14 Outages 12 Hourly Average 10 8 6 4 7 Time of Use 2 6.5 Repetitive Features Tampering 6 0 00:00 04:00 08:00 12:00 16:00 20:00 00:00 One Hour 5.5 5 Kw 4.5 Power Quality 4 3.5 over time 3 2.5 Types of appliances 2 18:00:00 18:10:00 18:20:00 18:30:00 18:40:00 18:50:00 19:00:00 Systems and Internet Infrastructure Security Laboratory (SIIS) Page 4 Tuesday, October 19, 2010
AMI - the justification • Automated Meter Reading Pre-smart meter automated reading and outage notification ‣ Now expanding to Internet-connected SCADA systems ‣ • Dynamic pricing schemes Time Of Use (peak load management) ‣ Maximum demand ‣ Demand response ‣ • Flexible energy generation Enable consumer generation ‣ Alternate energy sources ‣ Systems and Internet Infrastructure Security Laboratory (SIIS) Page 5 Tuesday, October 19, 2010
AMI - the concerns • What should we be concerned about? Accuracy/Fraud ‣ Consumer privacy ‣ National security ‣ Systems and Internet Infrastructure Security Laboratory (SIIS) Page 6 Tuesday, October 19, 2010
Penetration Testing AMI “The organization assesses the security requirements in the Smart Grid information system on an organization-defined frequency to determine the extent the requirements are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the Smart Grid information system.” -p 117 Systems and Internet Infrastructure Security Laboratory (SIIS) Page 7 Tuesday, October 19, 2010
Vulnerability Assessment • Penetration testing: the art and science of breaking systems by applying attacker tools against live systems. Destructive research attempts to illuminate the exploitable ‣ flaws and effectiveness of security infrastructure. • Bottom line Q/A Q: why are we doing this? ‣ A: part of Lockheed-Martin grant to aid energy industry in ‣ identifying problems before they are found “in the wild”. Q: what are we doing? ‣ A: evaluating a number of vendor products in the lab that ‣ are used in neighborhood-level deployments, i.e., we only look at the meters and collectors. Systems and Internet Infrastructure Security Laboratory (SIIS) Page 8 Tuesday, October 19, 2010
AMI Architectures Collectors Repeaters • Cellular • Internet Meter LAN 1: Power Line Communication • PSTN Utility Server Backhaul Network ..................................... Collector Repeater Meter LAN 2: RF Mesh Systems and Internet Infrastructure Security Laboratory (SIIS) Page 9 Tuesday, October 19, 2010
Attack Trees A means for pen-testing planning Tamper Usage Data OR OR Tamper Tamper Tamper in Measure- Stored (a) (b) (c) Network ment Demand OR OR AND Intercept Inject Reset Physically Bypass Reverse Communi- Usage Net Tamper Meter Meter cations Data Usage Storage A3.1 A2.3 AND AND AND OR Log In and Man in Clear Spoof Disconnect Meter Reset Net Logged the Meter Inversion Meter Usage Middle Events A2.2 A3.2 A3.3 A1.1 A1.2 AND Log In and Recover Clear Event Meter History Passwords A1.3 A2.1 Systems and Internet Infrastructure Security Laboratory (SIIS) Page 10 Tuesday, October 19, 2010
Archetypal Trees • Idea : can we separate the issues that are vendor independent from those that are specific to the vendor/ device, e.g., access media? Archetypal Tree B ⇒ A Concrete Trees Adversarial Goal ↓ Attack S 1 ⇒ Grafting B A Archetypal Tree A Concrete Trees S 2 • ... then reuse an archetypal tree as a base for each vendor specific concrete tree . Systems and Internet Infrastructure Security Laboratory (SIIS) Page 11 Tuesday, October 19, 2010
Pen Testing via Archetypal Trees 1. capture architectural description 2. construct archetypal trees (for each attacker goal) 3. capture vendor-specific description (for SUT) 4. construct concrete tree 5. perform penetration testing and graft leaves toward goals This paper : 3 Attack trees: fraud, DOS, disconnect, 2 "systems under test" (SUT) Systems and Internet Infrastructure Security Laboratory (SIIS) Page 12 Tuesday, October 19, 2010
Construction of Archetypal Trees Forge Demand Systems and Internet Infrastructure Security Laboratory (SIIS) Page 13 Tuesday, October 19, 2010
Construction of Archetypal Trees Forge Demand Interrupt Measurement Systems and Internet Infrastructure Security Laboratory (SIIS) Page 14 Tuesday, October 19, 2010
Construction of Archetypal Trees Forge Demand Interrupt Measurement OR AND Erase Disconnect Meter Logged Meter Inversion Events Systems and Internet Infrastructure Security Laboratory (SIIS) Page 15 Tuesday, October 19, 2010
Construction of Archetypal Trees Forge Demand Interrupt Measurement OR AND Erase Disconnect Meter Logged Meter Inversion Events OR Extract Tamper in Meter Flight Passwords Systems and Internet Infrastructure Security Laboratory (SIIS) Page 16 Tuesday, October 19, 2010
Construction of Archetypal Trees Forge Demand Interrupt Measurement OR AND Erase Disconnect Meter Logged Meter Inversion Events A1.1 A1.2 OR Extract Tamper in Meter Flight Passwords Systems and Internet Infrastructure Security Laboratory (SIIS) Page 17 Tuesday, October 19, 2010
Construction of Archetypal Trees Forge Demand Two rules for termination: Interrupt Measurement 1. Attack is on a vendor-specific OR AND component Erase Disconnect Meter Logged 2. Target may be guarded by a Meter Inversion Events protection mechanism A1.1 A1.2 OR Extract Tamper in Meter Flight Passwords A2.1 A2.2 Systems and Internet Infrastructure Security Laboratory (SIIS) Page 18 Tuesday, October 19, 2010
System Under Test PSTN connected collector • 120V AC " " " " " ANSI C12.21 • Rcvr Radio PBX “intrusion detection” • Modem " " " " Collector Repeater Repeater Load Load Infrared Utility Attacker Machine Machine 900 MHz wireless mesh collector/meter network • Infrared “near-field” security for configuration port • Systems and Internet Infrastructure Security Laboratory (SIIS) Page 19 Tuesday, October 19, 2010
Fraud Concrete Tamper Usage Data OR OR Tamper Tamper Tamper in Measure- Stored (a) (c) (b) Network ment Demand OR OR AND Intercept Inject Reset Physically Bypass Reverse Net Tamper Communi- Usage Meter Meter cations Data Usage Storage A3.1 AND AND AND A2.3 OR Log In and Clear Man in Disconnect Meter Spoof Logged Reset Net the Meter Meter Inversion Events Usage Middle A2.2 A3.2 A3.3 A1.1 A1.2 AND Log In and Recover Clear Event Meter History Passwords A1.3 A2.1 (AND) A3.1 A3.3 Intercept Spoof Communi- Meter cations OR OR AND AND Splice Into Via Initiate Run Transmit Via Meter I/O Wireless Session Diagnostic up Forged Telephone Bus Mesh with Utility to Usage Data Usage Data a1.1 AND a3.1 AND a5.1 a6.1 Interpose on Circumvent Identify Complete Collector Intrusion Self as Authentica- PSTN Link Detection Meter tion Round a2.1 a2.2 a4.1 a4.2 Systems and Internet Infrastructure Security Laboratory (SIIS) Page 20 Tuesday, October 19, 2010
Enabling Attacks (Fraud) • Defeating modem “ intrusion detection ” “off hook” events on the line are detected by sensing ‣ presence Foreign Exchange Office (FXO) of dial-tone voltage on the line. current calls are dropped if off hook is detected ‣ such events can simply be suppress easily by preventing ‣ voltage from arriving at the FXO Systems and Internet Infrastructure Security Laboratory (SIIS) Page 21 Tuesday, October 19, 2010
Enabling Attacks (Fraud) Valid Authentication Session Identify Nonce Hash(Password,Nonce) Utility Hash(Password,Nonce') Systems and Internet Infrastructure Security Laboratory (SIIS) Page 22 Tuesday, October 19, 2010
Enabling Attacks (Fraud) Valid Authentication Session Valid Authentication Session Identify Identify Nonce Nonce Hash(Password,Nonce) Hash(Password,Nonce) Utility Hash(Password,Nonce') Utility Systems and Internet Infrastructure Security Laboratory (SIIS) Page 22 Tuesday, October 19, 2010
Recommend
More recommend