multi-vendor penetration testing in the advanced metering
TRANSCRIPT
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Multi-vendor Penetration Testing in the Advanced Metering Infrastructure:
Future Challenges
DIMACS Workshop on Algorithmic Decision Theory for the Smart GridStephen McLaughlin - Penn State University
1
Tuesday, October 19, 2010
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Meter Data Management(for the last 100 years)
2
Tuesday, October 19, 2010
2
2.5
3
3.5
4
4.5
5
5.5
6
6.5
7
18:00:00 18:10:00 18:20:00 18:30:00 18:40:00 18:50:00 19:00:00
Kw
0
2
4
6
8
10
12
14
16
18
00:00 04:00 08:00 12:00 16:00 20:00 00:00
Kw
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Meter Data Management(now and in the near future)
One Day
One Hour
3
Tuesday, October 19, 2010
2
2.5
3
3.5
4
4.5
5
5.5
6
6.5
7
18:00:00 18:10:00 18:20:00 18:30:00 18:40:00 18:50:00 19:00:00
Kw
0
2
4
6
8
10
12
14
16
18
00:00 04:00 08:00 12:00 16:00 20:00 00:00
Kw
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Meter Data Management(now and in the near future)
One Day
One Hour
Peak UsagePeak UsagePeak Transient
Hourly Average
Time of Use
Types of appliances
Power Qualityover time
Repetitive Features
Power Qualityover timeGeolocationGeolocationGeolocation
Outages
Tampering
4
Tuesday, October 19, 2010
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
AMI - the justification• Automated Meter Reading
‣ Pre-smart meter automated reading and outage notification
‣ Now expanding to Internet-connected SCADA systems
• Dynamic pricing schemes‣ Time Of Use (peak load management)
‣ Maximum demand
‣ Demand response
• Flexible energy generation‣ Enable consumer generation
‣ Alternate energy sources
5
Tuesday, October 19, 2010
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
AMI - the concerns• What should we be concerned about?
‣ Accuracy/Fraud
‣ Consumer privacy
‣ National security
6
Tuesday, October 19, 2010
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Penetration Testing AMI
7
“The organization assesses the security requirements in the Smart Grid information system on an organization-defined frequency to determine the extent the requirements are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the Smart Grid information system.”
-p 117
Tuesday, October 19, 2010
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Vulnerability Assessment
• Penetration testing: the art and science of breaking systems by applying attacker tools against live systems.‣ Destructive research attempts to illuminate the exploitable
flaws and effectiveness of security infrastructure.
• Bottom line Q/A
‣ Q: why are we doing this?
‣ A: part of Lockheed-Martin grant to aid energy industry in identifying problems before they are found “in the wild”.
‣ Q: what are we doing?
‣ A: evaluating a number of vendor products in the lab that are used in neighborhood-level deployments, i.e., we only look at the meters and collectors.
8
Tuesday, October 19, 2010
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
AMI Architectures
Meter LAN 1: Power Line Communication
Meter LAN 2: RF Mesh
• Cellular • Internet • PSTN
Backhaul NetworkUtility Server
Collector Repeater
Collectors Repeaters
.....................................
9
Tuesday, October 19, 2010
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Attack Trees
TamperUsageData
Tamper Measure-
ment
Tamper Stored
DemandTamper in Network
Clear Logged Events
Inject UsageData
OR OR
OR AND
OR
Disconnect Meter
A1.1
RecoverMeter
PasswordsA2.1
PhysicallyTamper Storage
A2.3
Intercept Communi-
cationsA3.1
Man in the
MiddleA3.2
Spoof MeterA3.3
Log In and Clear Event
HistoryA1.3
Log In and Reset Net
UsageA2.2
ResetNet
UsageAND
BypassMeter
ReverseMeter
AND
Meter Inversion
A1.2
OR
ANDAND
(a) (b) (c)
A means for pen-testing planning
10
Tuesday, October 19, 2010
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Archetypal Trees • Idea: can we separate the issues that are vendor
independent from those that are specific to the vendor/device, e.g., access media?
• ... then reuse an archetypal tree as a base for each vendor specific concrete tree.
11
A
B
A
A
B
Adversarial Goal↓
⇒⇒
S1
S2
AttackGrafting
ArchetypalTree
ConcreteTrees
ArchetypalTree
ConcreteTrees
Tuesday, October 19, 2010
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Pen Testing via Archetypal Trees
1. capture architectural description2. construct archetypal trees (for each attacker goal)3. capture vendor-specific description (for SUT)4. construct concrete tree5. perform penetration testing and graft leaves toward
goals
12
This paper: 3 Attack trees: fraud, DOS, disconnect, 2 "systems under test" (SUT)
Tuesday, October 19, 2010
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Construction of Archetypal Trees
13
Forge Demand
Tuesday, October 19, 2010
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Construction of Archetypal Trees
14
Forge Demand
Interrupt Measurement
Tuesday, October 19, 2010
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Construction of Archetypal Trees
15
Forge Demand
Interrupt Measurement
Disconnect Meter
Meter Inversion
Erase Logged Events
OR AND
Tuesday, October 19, 2010
Forge Demand
Interrupt Measurement
Disconnect Meter
Meter Inversion
Erase Logged Events
ExtractMeter
PasswordsTamper in
Flight
OR
OR
AND
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Construction of Archetypal Trees
16
Tuesday, October 19, 2010
Forge Demand
Interrupt Measurement
Disconnect Meter
Meter Inversion
Erase Logged Events
ExtractMeter
PasswordsTamper in
Flight
OR
OR
AND
A1.1 A1.2
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Construction of Archetypal Trees
17
Tuesday, October 19, 2010
Forge Demand
Interrupt Measurement
Disconnect Meter
Meter Inversion
Erase Logged Events
ExtractMeter
PasswordsTamper in
Flight
OR
OR
AND
A1.1 A1.2
A2.1 A2.2
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Construction of Archetypal Trees
Two rules for termination:
1. Attack is on a vendor-specific component
2. Target may be guarded by a protection mechanism
18
Tuesday, October 19, 2010
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
System Under Test
19
• PSTN connected collector
• ANSI C12.21
• “intrusion detection”
• 900 MHz wireless mesh collector/meter network
• Infrared “near-field” security for configuration port
Collector Repeater
120V AC
RadioRcvrPBX
UtilityMachine
Repeater
" " " " "
AttackerMachine
Load
""
Load
""
Infrared
Mod
em
Tuesday, October 19, 2010
Intercept Communi-
cations
Via Wireless
Mesh
Splice Into Meter I/O
BusVia
Telephone
Spoof Meter
Initiate Session
with Utility
Identify Self as Meter
Complete Authentica-tion Round
Run Diagnostic up to Usage Data
Transmit Forged
Usage Data
Interpose onCollector
PSTN Link
Circumvent Intrusion Detection
A3.1 A3.3
a1.1
a2.1 a2.2
a3.1
a4.1 a4.2
a5.1 a6.1
OR OR
AND
AND AND
AND
(AND)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Fraud ConcreteTamperUsageData
Tamper Measure-
ment
Tamper Stored
DemandTamper in Network
Clear Logged Events
Inject UsageData
OR OR
OR AND
OR
Disconnect Meter
A1.1
RecoverMeter
PasswordsA2.1
PhysicallyTamper Storage
A2.3
Intercept Communi-
cationsA3.1
Man in the
MiddleA3.2
Spoof MeterA3.3
Log In and Clear Event
HistoryA1.3
Log In and Reset Net
UsageA2.2
ResetNet
UsageAND
BypassMeter
ReverseMeter
AND
Meter Inversion
A1.2
OR
ANDAND
(a) (b) (c)
20
Tuesday, October 19, 2010
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Enabling Attacks (Fraud)• Defeating modem “intrusion detection”
‣ “off hook” events on the line are detected by sensing presence Foreign Exchange Office (FXO) of dial-tone voltage on the line.
‣ current calls are dropped if off hook is detected
‣ such events can simply be suppress easily by preventing voltage from arriving at the FXO
21
Tuesday, October 19, 2010
Utility
IdentifyNonce
Hash(Password,Nonce)Hash(Password,Nonce')
Valid Authentication Session
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Enabling Attacks (Fraud)
22
Tuesday, October 19, 2010
Utility
IdentifyNonce
Hash(Password,Nonce)
Valid Authentication Session
Utility
IdentifyNonce
Hash(Password,Nonce)Hash(Password,Nonce')
Valid Authentication Session
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Enabling Attacks (Fraud)
22
Tuesday, October 19, 2010
Utility
IdentifyNonce
Hash(Password,Nonce)
Valid Authentication Session
Utility
IdentifyNonce
Hash(Password,Nonce)Hash(Password,Nonce')
Valid Authentication Session
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Enabling Attacks (Fraud)
• Replay attack: I can replay the nonce from a previous session to impersonate the meter.
22
Tuesday, October 19, 2010
Utility
IdentifyNonce
Hash(Password,Nonce)
Valid Authentication Session
Utility
IdentifyNonce
Hash(Password,Nonce)Hash(Password,Nonce')
Valid Authentication Session
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Enabling Attacks (Fraud)
• Replay attack: I can replay the nonce from a previous session to impersonate the meter.
Utility
IdentifyNonce
Hash(Password,Nonce)Hash(Password,Nonce')
Replay AttackReplay Nonce from valid session
• All subsequent messages are the same• Attacker need not know password
22
Tuesday, October 19, 2010
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Targeted Disconnect AT
TargetedDisconnect
Directly Issue
Disconnect
Issue from Network
Issue via Optical
Port
Recover Meter
Passwords
IssueLocal
Disconnect
Tamper with Switch
Remove Meter Cover
Manipulate Switch to
Disconnect
Replace Tamper
Seal
R1.3 R1.4
R2.1 R2.2 R2.3AND
OR
OR AND AND
Determine Target ID
or Address
Issue Remote
DisconnectR1.2R1.1
ANDAND
23
Tuesday, October 19, 2010
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Enabling Attacks (Disconnect)
• Physical tamper “evidence”
‣ Limited tamper seals, which enables ...
• Passwords are stored in EEPROM
‣ Physical access to the device can yield all of the data held in non-volatile memory, which enables ...
• Authentication secrets derived from passwords
‣ Bypass the authentication system, which enables ...
• Issue disconnect command.
Note: if you can break the dependency chain, you can prevent the attack, i.e., simple measures can often prevent complex attacks.
24
Tuesday, October 19, 2010
TargetedDisconnect
Directly Issue
Disconnect
Issue from Network
Issue via Optical
Port
Recover Meter
Passwords
IssueLocal
Disconnect
Tamper with Switch
Remove Meter Cover
Manipulate Switch to
Disconnect
Replace Tamper
Seal
R1.3 R1.4
R2.1 R2.2 R2.3AND
OR
OR AND AND
Determine Target ID
or Address
Issue Remote
DisconnectR1.2R1.1
ANDAND
Recover Meter
Passwords
R1.3 / A2.1Issue
Remote Disconnect
R1.2
Trojan Optical
Portr1.1
Physically Extract from
Meterr1.2
Mutually Authenticate with Meter
r2.1
Issue Disconnect Command
r2.2
OR AND
(AND)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Disconnect Concrete
25
Tuesday, October 19, 2010
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Attacks Summary
26
Tuesday, October 19, 2010
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Challenges: Logistical• Uncooperative meter vendors
• Establishing standards for pen-testing, e.g. collections of attack trees
• Pen testing products, not deployments
27
Tuesday, October 19, 2010
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Challenges: Methodological• Enumerating adversarial goals (security is largely
reactive)
• Being comprehensive in attack tree construction
• Automation of the process using existing modeling techniques such as threat modeling
28
Tuesday, October 19, 2010
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Summary• Horizontal penetration is now essential‣ Transitions of major infrastructure and critical systems
mandates external review of by-sector vulnerabilities.
• Archetypal trees are a way to get there‣ Focus energies on adversarial efforts leading to goals
‣ Approaches goals of certifications like Common Criteria
• Smart grid: Deployments outstripping our ability to understand and manage vulnerabilities‣ Society must get ahead of problems before they lead to
potentially devastating events
‣ Needs more back-pressure to improve deployed solutions.
29
Tuesday, October 19, 2010
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Questions?
• Patrick McDaniel ([email protected])• Stephen McLaughlin ([email protected])• Project Page: http://siis.cse.psu.edu/smartgrid.html
• Papers‣ Stephen McLaughlin, Dmitry Podkuiko, Adam Delozier, Sergei Miadzvezhanka, and Patrick
McDaniel. Multi-vendor Penetration Testing in the Advanced Metering Infrastructure. Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC), December 2010. Austin, TX.
‣ Stephen McLaughlin, Dmitry Podkuiko, Adam Delozier, Sergei Miadzvezhanka, and Patrick McDaniel. Embedded Firmware Diversity for Smart Electric Meters. Proceedings of the 5th Workshop on Hot Topics in Security (HotSec '10), August 2010. Washington, DC.
‣ Stephen McLaughlin, Dmitry Podkuiko, and Patrick McDaniel. Energy Theft in the Advanced Metering Infrastructure. In the 4th International Workshop on Critical Information Infrastructure Security, September 2009. Bonn, Germany.
30
Tuesday, October 19, 2010