Multi-vendor Penetration Testing in the Advanced Metering

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Multi-vendor Penetration Testing in the Advanced Metering Infrastructure:

Future Challenges

DIMACS Workshop on Algorithmic Decision Theory for the Smart GridStephen McLaughlin - Penn State University

1

Tuesday, October 19, 2010


Meter Data Management(for the last 100 years)

2


2

2.5

3

3.5

4

4.5

5

5.5

6

6.5

7

18:00:00 18:10:00 18:20:00 18:30:00 18:40:00 18:50:00 19:00:00

Kw

0

2

4

6

8

10

12

14

16

18

00:00 04:00 08:00 12:00 16:00 20:00 00:00

Kw


Meter Data Management(now and in the near future)

One Day

One Hour

3


2

2.5

3

3.5

4

4.5

5

5.5

6

6.5

7

18:00:00 18:10:00 18:20:00 18:30:00 18:40:00 18:50:00 19:00:00

Kw

0

2

4

6

8

10

12

14

16

18

00:00 04:00 08:00 12:00 16:00 20:00 00:00

Kw


Meter Data Management(now and in the near future)

One Day

One Hour

Peak UsagePeak UsagePeak Transient

Hourly Average

Time of Use

Types of appliances

Power Qualityover time

Repetitive Features

Power Qualityover timeGeolocationGeolocationGeolocation

Outages

Tampering

4



AMI - the justification• Automated Meter Reading

‣ Pre-smart meter automated reading and outage notification

‣ Now expanding to Internet-connected SCADA systems

• Dynamic pricing schemes‣ Time Of Use (peak load management)

‣ Maximum demand

‣ Demand response

• Flexible energy generation‣ Enable consumer generation

‣ Alternate energy sources

5



AMI - the concerns• What should we be concerned about?

‣ Accuracy/Fraud

‣ Consumer privacy

‣ National security

6



Penetration Testing AMI

7

“The organization assesses the security requirements in the Smart Grid information system on an organization-defined frequency to determine the extent the requirements are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the Smart Grid information system.”

-p 117



Vulnerability Assessment

• Penetration testing: the art and science of breaking systems by applying attacker tools against live systems.‣ Destructive research attempts to illuminate the exploitable

flaws and effectiveness of security infrastructure.

• Bottom line Q/A

‣ Q: why are we doing this?

‣ A: part of Lockheed-Martin grant to aid energy industry in identifying problems before they are found “in the wild”.

‣ Q: what are we doing?

‣ A: evaluating a number of vendor products in the lab that are used in neighborhood-level deployments, i.e., we only look at the meters and collectors.

8



AMI Architectures

Meter LAN 1: Power Line Communication

Meter LAN 2: RF Mesh

• Cellular • Internet • PSTN

Backhaul NetworkUtility Server

Collector Repeater

Collectors Repeaters

.....................................

9



Attack Trees

TamperUsageData

Tamper Measure-

ment

Tamper Stored

DemandTamper in Network

Clear Logged Events

Inject UsageData

OR OR

OR AND

OR

Disconnect Meter

A1.1

RecoverMeter

PasswordsA2.1

PhysicallyTamper Storage

A2.3

Intercept Communi-

cationsA3.1

Man in the

MiddleA3.2

Spoof MeterA3.3

Log In and Clear Event

HistoryA1.3

Log In and Reset Net

UsageA2.2

ResetNet

UsageAND

BypassMeter

ReverseMeter

AND

Meter Inversion

A1.2

OR

ANDAND

(a) (b) (c)

A means for pen-testing planning

10



Archetypal Trees • Idea: can we separate the issues that are vendor

independent from those that are specific to the vendor/device, e.g., access media?

• ... then reuse an archetypal tree as a base for each vendor specific concrete tree.

11

A

B

A

A

B

Adversarial Goal↓

⇒⇒

S1

S2

AttackGrafting

ArchetypalTree

ConcreteTrees

ArchetypalTree

ConcreteTrees



Pen Testing via Archetypal Trees

1. capture architectural description2. construct archetypal trees (for each attacker goal)3. capture vendor-specific description (for SUT)4. construct concrete tree5. perform penetration testing and graft leaves toward

goals

12

This paper: 3 Attack trees: fraud, DOS, disconnect, 2 "systems under test" (SUT)



Construction of Archetypal Trees

13

Forge Demand




14

Forge Demand

Interrupt Measurement




15

Forge Demand


Disconnect Meter

Meter Inversion

Erase Logged Events

OR AND


Forge Demand


Disconnect Meter

Meter Inversion

Erase Logged Events

ExtractMeter

PasswordsTamper in

Flight

OR

OR

AND



16


Forge Demand


Disconnect Meter

Meter Inversion

Erase Logged Events

ExtractMeter

PasswordsTamper in

Flight

OR

OR

AND

A1.1 A1.2



17


Forge Demand


Disconnect Meter

Meter Inversion

Erase Logged Events

ExtractMeter

PasswordsTamper in

Flight

OR

OR

AND

A1.1 A1.2

A2.1 A2.2



Two rules for termination:

1. Attack is on a vendor-specific component

2. Target may be guarded by a protection mechanism

18



System Under Test

19

• PSTN connected collector

• ANSI C12.21

• “intrusion detection”

• 900 MHz wireless mesh collector/meter network

• Infrared “near-field” security for configuration port

Collector Repeater

120V AC

RadioRcvrPBX

UtilityMachine

Repeater

" " " " "

AttackerMachine

Load

""

Load

""

Infrared

Mod

em


Intercept Communi-

cations

Via Wireless

Mesh

Splice Into Meter I/O

BusVia

Telephone

Spoof Meter

Initiate Session

with Utility

Identify Self as Meter

Complete Authentica-tion Round

Run Diagnostic up to Usage Data

Transmit Forged

Usage Data

Interpose onCollector

PSTN Link

Circumvent Intrusion Detection

A3.1 A3.3

a1.1

a2.1 a2.2

a3.1

a4.1 a4.2

a5.1 a6.1

OR OR

AND

AND AND

AND

(AND)


Fraud ConcreteTamperUsageData

Tamper Measure-

ment

Tamper Stored

DemandTamper in Network

Clear Logged Events

Inject UsageData

OR OR

OR AND

OR

Disconnect Meter

A1.1

RecoverMeter

PasswordsA2.1

PhysicallyTamper Storage

A2.3

Intercept Communi-

cationsA3.1

Man in the

MiddleA3.2

Spoof MeterA3.3

Log In and Clear Event

HistoryA1.3

Log In and Reset Net

UsageA2.2

ResetNet

UsageAND

BypassMeter

ReverseMeter

AND

Meter Inversion

A1.2

OR

ANDAND

(a) (b) (c)

20



Enabling Attacks (Fraud)• Defeating modem “intrusion detection”

‣ “off hook” events on the line are detected by sensing presence Foreign Exchange Office (FXO) of dial-tone voltage on the line.

‣ current calls are dropped if off hook is detected

‣ such events can simply be suppress easily by preventing voltage from arriving at the FXO

21


Utility

IdentifyNonce

Hash(Password,Nonce)Hash(Password,Nonce')

Valid Authentication Session


Enabling Attacks (Fraud)

22


Utility

IdentifyNonce

Hash(Password,Nonce)


Utility

IdentifyNonce





22


Utility

IdentifyNonce



Utility

IdentifyNonce





• Replay attack: I can replay the nonce from a previous session to impersonate the meter.

22


Utility

IdentifyNonce



Utility

IdentifyNonce





• Replay attack: I can replay the nonce from a previous session to impersonate the meter.

Utility

IdentifyNonce


Replay AttackReplay Nonce from valid session

• All subsequent messages are the same• Attacker need not know password

22



Targeted Disconnect AT

TargetedDisconnect

Directly Issue

Disconnect

Issue from Network

Issue via Optical

Port

Recover Meter

Passwords

IssueLocal

Disconnect

Tamper with Switch

Remove Meter Cover

Manipulate Switch to

Disconnect

Replace Tamper

Seal

R1.3 R1.4

R2.1 R2.2 R2.3AND

OR

OR AND AND

Determine Target ID

or Address

Issue Remote

DisconnectR1.2R1.1

ANDAND

23



Enabling Attacks (Disconnect)

• Physical tamper “evidence”

‣ Limited tamper seals, which enables ...

• Passwords are stored in EEPROM

‣ Physical access to the device can yield all of the data held in non-volatile memory, which enables ...

• Authentication secrets derived from passwords

‣ Bypass the authentication system, which enables ...

• Issue disconnect command.

Note: if you can break the dependency chain, you can prevent the attack, i.e., simple measures can often prevent complex attacks.

24


TargetedDisconnect

Directly Issue

Disconnect

Issue from Network

Issue via Optical

Port

Recover Meter

Passwords

IssueLocal

Disconnect

Tamper with Switch

Remove Meter Cover

Manipulate Switch to

Disconnect

Replace Tamper

Seal

R1.3 R1.4

R2.1 R2.2 R2.3AND

OR

OR AND AND

Determine Target ID

or Address

Issue Remote

DisconnectR1.2R1.1

ANDAND

Recover Meter

Passwords

R1.3 / A2.1Issue

Remote Disconnect

R1.2

Trojan Optical

Portr1.1

Physically Extract from

Meterr1.2

Mutually Authenticate with Meter

r2.1

Issue Disconnect Command

r2.2

OR AND

(AND)


Disconnect Concrete

25



Attacks Summary

26



Challenges: Logistical• Uncooperative meter vendors

• Establishing standards for pen-testing, e.g. collections of attack trees

• Pen testing products, not deployments

27



Challenges: Methodological• Enumerating adversarial goals (security is largely

reactive)

• Being comprehensive in attack tree construction

• Automation of the process using existing modeling techniques such as threat modeling

28



Summary• Horizontal penetration is now essential‣ Transitions of major infrastructure and critical systems

mandates external review of by-sector vulnerabilities.

• Archetypal trees are a way to get there‣ Focus energies on adversarial efforts leading to goals

‣ Approaches goals of certifications like Common Criteria

• Smart grid: Deployments outstripping our ability to understand and manage vulnerabilities‣ Society must get ahead of problems before they lead to

potentially devastating events

‣ Needs more back-pressure to improve deployed solutions.

29



Questions?

• Patrick McDaniel ([email protected])• Stephen McLaughlin ([email protected])• Project Page: http://siis.cse.psu.edu/smartgrid.html

• Papers‣ Stephen McLaughlin, Dmitry Podkuiko, Adam Delozier, Sergei Miadzvezhanka, and Patrick

McDaniel. Multi-vendor Penetration Testing in the Advanced Metering Infrastructure. Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC), December 2010. Austin, TX.

‣ Stephen McLaughlin, Dmitry Podkuiko, Adam Delozier, Sergei Miadzvezhanka, and Patrick McDaniel. Embedded Firmware Diversity for Smart Electric Meters. Proceedings of the 5th Workshop on Hot Topics in Security (HotSec '10), August 2010. Washington, DC.

‣ Stephen McLaughlin, Dmitry Podkuiko, and Patrick McDaniel. Energy Theft in the Advanced Metering Infrastructure. In the 4th International Workshop on Critical Information Infrastructure Security, September 2009. Bonn, Germany.

30


mailto:[email protected]




Documents

Multi-vendor Penetration Testing in the Advanced Metering