Transcript AMI Threats Intrusion detection requirements deployment

David Grochocki et al
 Lures
Potential attackers
 Smartmeters do two way communication
 Millions of Meters has to be replaced
 Serious damages just a click away
Survey Various Threats
Identify the required
information which would
detech the attacks
Identify Common Attack
Techniques
Model an IDS
Decompose the data to
form a Attack Tree
 Communication
between NAN and Gateway
(DCU) – Mostly 802.15.4 or sometimes 802.11
 Communication between Gateway (DCU) and
Utility company – 3G, Edge, WiMax.
 NAN Mesh offers reliability and robustness
 But.,
 Complicates Security Monitoring Solution
 Few smart meter vendors distribute meters
which can report to the utility company
directly through user’s home internet.
 Access
to a communication infrastructure
other than Internet
 Access to millions of low computation
devices
 Access to sensitive customer information
 High visibility and Impact
 Financial Value of Consumption data
5
Attack motivations
 30 Unique attack techniques
 Relevant ones to AMI are alone considered
Survey Various Threats
Identify the required
information which would
detech the attacks
Identify Common Attack
Techniques
Model an IDS
Decompose the data to
form a Attack Tree
 DDoS
attack
 Stealing Customer Information
 Remote Disconnection
 Why?
Results in data outage for many Meters
 How?

Install malware on meter or remote
network exploit

Co-ordinate DDoS among compromised
meters

Flood DCU with large packets

 Why?
Eavesdropping, Social Engineering
 How?

Stealing encryption keys of the smart
meter by physically tampering or
bruteforcing the cryptosystem

Capture AMI traffic

Decrypt to obtain clear text information

 Why?
Distrupt Business, Inflict loss
 How?

Installing malware on the DCU through
physical tampering or by exploiting a
network vulnerability

Identify the meters with corresponding
address information

Use that information to disconnect
targeted users

Survey Various Threats
Identify the required
information which would
detech the attacks
Identify Common Attack
Techniques
Model an IDS
Decompose the data to
form a Attack Tree
 System
Information

CPU Usage, Battery Level, Firmware
Intergrity, Clock Synchronisation
 Network Information

NAN Collision rate, Packet loss
 Policy Information

Authorized AMI devices, Authorized
Updates, Address Mappings, Authorized
services
Survey Various Threats
Identify the required
information which would
detech the attacks
Identify Common Attack
Techniques
Model an IDS
Decompose the data to
form a Attack Tree
 Centralized
Utility Company
IDS Model
IDS
DCU
 Can
detect attacks against Utility network
 But, will miss attacks against smart meters
Meter
+
IDS
Meter
Meter
DCU
Meter
+ IDS
Meter
Meter +
IDS
 Will
have access to meter specific
information
 But.,
 Attacks on DCU cannot be detected
 Functioning both as a meter and IDS can be
resource intensive
 Keys of all other meters have to be stored in
Meter + IDS devices to inspect data
 Not a good idea to store some one’s
decryption key on some one else’s meter
IDS
Meter
Meter
DCU
Meter
Meter
IDS
 More
processing power
 Less number of IDS sensors required
 So less number of places where keys are
stored
 But still, Attacks on DCU are not detected
IDS
Meter
Meter
DCU
Meter
Meter
IDS
Utility Company
IDS
 Either
Centralized + Embedded or
Centralized + Dedicated sensors
 Can detect both attacks at both (DCS and
NAN) ends
 According
to the architecure discussed in this
paper, DCU is the device which is more likely
to have a Public IP address
 Smart meter vendors or third parties may
soon start integrating 802.11 or GSM/3G into
smart meters
 But, why?
 Banner
Grabbing!
 SHODAN – Exponse Online Devices
 Ipv4 computer search engine
 Webcams, Routers, Power Plants, iPhones,
Wind Turbines, Refrigerators, VoIP Phones