AMI Threats Intrusion detection requirements deployment recommendations

AMI THREATSINTRUSION DETECTION

REQUIREMENTS DEPLOYMENT

RECOMMENDATIONSDavid Grochocki et al

WHY SECURITY? Lures Potential attackers Smartmeters do two way

communication Millions of Meters has to be replaced Serious damages just a click away

PAPER DESCRIPTION

Survey Various Threats

Identify Common Attack Techniques

Decompose the data to form a Attack Tree

Identify the required information which would detech the

attacks

Model an IDS

AMI ARCHITECTURE

AMI ARCHITECTURE Communication between NAN and

Gateway (DCU) – Mostly 802.15.4 or sometimes 802.11

Communication between Gateway (DCU) and Utility company – 3G, Edge, WiMax.

NAN Mesh offers reliability and robustness

But., Complicates Security Monitoring

Solution Few smart meter vendors distribute

meters which can report to the utility company directly through user’s home internet.

ATTACK MOTIVATION Access to a communication

infrastructure other than Internet Access to millions of low computation

devices Access to sensitive customer

information High visibility and Impact Financial Value of Consumption data

ATTACK SURVEY 5 Attack motivations 30 Unique attack techniques Relevant ones to AMI are alone

considered

PAPER DESCRIPTION





attacks

Model an IDS

DECOMPOSED ATTACK CASES DDoS attack Stealing Customer Information Remote Disconnection

DDOS AGAINST DCU Why? Results in data outage for many

Meters How? Install malware on meter or remote

network exploit Co-ordinate DDoS among

compromised meters Flood DCU with large packets

STEALING CUSTOMER INFO Why? Eavesdropping, Social Engineering How? Stealing encryption keys of the

smart meter by physically tampering or bruteforcing the cryptosystem

Capture AMI traffic Decrypt to obtain clear text

information

REMOTE DISCONNECT Why? Distrupt Business, Inflict loss How? Installing malware on the DCU

through physical tampering or by exploiting a network vulnerability

Identify the meters with corresponding address information

Use that information to disconnect targeted users

ATTACK TREE

PAPER DESCRIPTION





attacks

Model an IDS

INFORMATION REQUIRED System Information CPU Usage, Battery Level,

Firmware Intergrity, Clock Synchronisation

Network Information NAN Collision rate, Packet loss Policy Information Authorized AMI devices,

Authorized Updates, Address Mappings, Authorized services

INFORMATION REQUIRED

PAPER DESCRIPTION





attacks

Model an IDS

IDS MODELS Centralized IDS Model

Utility Company IDS DCU

CENTRALIZED IDS Can detect attacks against Utility

network But, will miss attacks against smart

meters

EMBEDDED IDS

DCU

Meter + IDS

Meter + IDS

Meter

Meter

MeterMeter

+IDS

EMBEDDED IDS Will have access to meter specific

information But., Attacks on DCU cannot be detected Functioning both as a meter and IDS can

be resource intensive Keys of all other meters have to be

stored in Meter + IDS devices to inspect data

Not a good idea to store some one’s decryption key on some one else’s meter

DEDICATED IDS SENSORS

DCU

Meter IDS

Meter

Meter

MeterIDS

DEDICATED IDS SENSORS More processing power Less number of IDS sensors required So less number of places where keys are

stored But still, Attacks on DCU are not

detected

HYBRID SENSORS

DCU

Meter IDS

Meter

Meter

MeterIDS

Utility Company

IDS

HYBRID SENSORS Either Centralized + Embedded or

Centralized + Dedicated sensors Can detect both attacks at both (DCS

and NAN) ends

ANYTHING ELSE? According to the architecure discussed

in this paper, DCU is the device which is more likely to have a Public IP address

Smart meter vendors or third parties may soon start integrating 802.11 or GSM/3G into smart meters

But, why?

HOME PANEL

SO WHAT? Banner Grabbing! SHODAN – Exponse Online Devices Ipv4 computer search engine Webcams, Routers, Power Plants,

iPhones, Wind Turbines, Refrigerators, VoIP Phones

SCHNEIDER PLC GATEWAY

SIEMENS SIMATIC HMI

IPV6 INDEXING

QUESTIONS?

Documents

AMI Threats Intrusion detection requirements deployment recommendations