Multi-vendor Penetration Testing in the Advanced Metering - - PowerPoint PPT Presentation

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Multi-vendor Penetration Testing in the Advanced Metering Infrastructure: Future Challenges

DIMACS Workshop on Algorithmic Decision Theory for the Smart Grid Stephen McLaughlin - Penn State University

1

Tuesday, October 19, 2010

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Meter Data Management (for the last 100 years)

2

Tuesday, October 19, 2010

2 2.5 3 3.5 4 4.5 5 5.5 6 6.5 7 18:00:00 18:10:00 18:20:00 18:30:00 18:40:00 18:50:00 19:00:00 Kw 2 4 6 8 10 12 14 16 18 00:00 04:00 08:00 12:00 16:00 20:00 00:00 Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Meter Data Management (now and in the near future)

One Day One Hour

3

Tuesday, October 19, 2010

2 2.5 3 3.5 4 4.5 5 5.5 6 6.5 7 18:00:00 18:10:00 18:20:00 18:30:00 18:40:00 18:50:00 19:00:00 Kw 2 4 6 8 10 12 14 16 18 00:00 04:00 08:00 12:00 16:00 20:00 00:00 Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Meter Data Management (now and in the near future)

One Day One Hour Peak Usage Peak Usage Peak Transient Hourly Average Time of Use Types of appliances Power Quality

• ver time

Repetitive Features G Outages Tampering

4

Tuesday, October 19, 2010

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

AMI - the justification

• Automated Meter Reading
• Pre-smart meter automated reading and outage notification
• Now expanding to Internet-connected SCADA systems
• Dynamic pricing schemes
• Time Of Use (peak load management)
• Maximum demand
• Demand response
• Flexible energy generation
• Enable consumer generation
• Alternate energy sources

5

Tuesday, October 19, 2010

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

AMI - the concerns

• What should we be concerned about?
• Accuracy/Fraud
• Consumer privacy
• National security

6

Tuesday, October 19, 2010

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Penetration Testing AMI

7

“The organization assesses the security requirements in the Smart Grid information system on an

• rganization-defined frequency to

determine the extent the requirements are implemented correctly, operating as intended, and producing the desired

• utcome with respect to meeting

the security requirements for the Smart Grid information system.”

• p 117

Tuesday, October 19, 2010

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Vulnerability Assessment

• Penetration testing: the art and science of breaking

systems by applying attacker tools against live systems.

• Destructive research attempts to illuminate the exploitable

flaws and effectiveness of security infrastructure.

• Bottom line Q/A
• Q: why are we doing this?
• A: part of Lockheed-Martin grant to aid energy industry in

identifying problems before they are found “in the wild”.

• Q: what are we doing?
• A: evaluating a number of vendor products in the lab that

are used in neighborhood-level deployments, i.e., we only look at the meters and collectors.

8

Tuesday, October 19, 2010

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

AMI Architectures

Meter LAN 1: Power Line Communication Meter LAN 2: RF Mesh

• Cellular
• Internet
• PSTN

Backhaul Network Utility Server Collector Repeater

Collectors Repeaters .....................................

9

Tuesday, October 19, 2010

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Attack Trees

Tamper Usage Data Tamper Measure- ment Tamper Stored Demand Tamper in Network Clear Logged Events Inject Usage Data

OR OR OR AND OR

Disconnect Meter

A1.1

Recover Meter Passwords

A2.1

Physically Tamper Storage

A2.3

Intercept Communi- cations

A3.1

Man in the Middle

A3.2

Spoof Meter

A3.3

Log In and Clear Event History

A1.3

Log In and Reset Net Usage

A2.2

Reset Net Usage

AND

Bypass Meter Reverse Meter

AND

Meter Inversion

A1.2 OR AND AND (a) (b) (c)

A means for pen-testing planning

10

Tuesday, October 19, 2010

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Archetypal Trees

• Idea: can we separate the issues that are vendor

independent from those that are specific to the vendor/ device, e.g., access media?

• ... then reuse an archetypal tree as a base for each

vendor specific concrete tree.

11

A B A A B Adversarial Goal

↓

⇒ ⇒

S1 S2 Attack Grafting Archetypal Tree Concrete Trees Archetypal Tree Concrete Trees

Tuesday, October 19, 2010

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Pen Testing via Archetypal Trees

• 1. capture architectural description
• 2. construct archetypal trees (for each attacker goal)
• 3. capture vendor-specific description (for SUT)
• 4. construct concrete tree
• 5. perform penetration testing and graft leaves toward

goals

12

This paper: 3 Attack trees: fraud, DOS, disconnect, 2 "systems under test" (SUT)

Tuesday, October 19, 2010

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Construction of Archetypal Trees

13

Forge Demand

Tuesday, October 19, 2010

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Construction of Archetypal Trees

14

Forge Demand Interrupt Measurement

Tuesday, October 19, 2010

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Construction of Archetypal Trees

15

Forge Demand Interrupt Measurement Disconnect Meter Meter Inversion Erase Logged Events

OR AND

Tuesday, October 19, 2010

Forge Demand Interrupt Measurement Disconnect Meter Meter Inversion Erase Logged Events Extract Meter Passwords Tamper in Flight

OR OR AND

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Construction of Archetypal Trees

16

Tuesday, October 19, 2010

Forge Demand Interrupt Measurement Disconnect Meter Meter Inversion Erase Logged Events Extract Meter Passwords Tamper in Flight

OR OR AND A1.1 A1.2

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Construction of Archetypal Trees

17

Tuesday, October 19, 2010

Forge Demand Interrupt Measurement Disconnect Meter Meter Inversion Erase Logged Events Extract Meter Passwords Tamper in Flight

OR OR AND A1.1 A1.2 A2.1 A2.2

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Construction of Archetypal Trees

Two rules for termination:

• 1. Attack is on a vendor-specific

component

• 2. Target may be guarded by a

protection mechanism

18

Tuesday, October 19, 2010

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

System Under Test

19

• PSTN connected collector
• ANSI C12.21
• “intrusion detection”
• 900 MHz wireless mesh collector/meter network
• Infrared “near-field” security for configuration port

Collector Repeater 120V AC Radio Rcvr PBX Utility Machine Repeater

" " " " "

Attacker Machine Load

" "

Load

" "

Infrared Modem

Tuesday, October 19, 2010

Intercept Communi- cations Via Wireless Mesh Splice Into Meter I/O Bus Via Telephone Spoof Meter Initiate Session with Utility Identify Self as Meter Complete Authentica- tion Round Run Diagnostic up to Usage Data Transmit Forged Usage Data Interpose on Collector PSTN Link Circumvent Intrusion Detection

A3.1 A3.3 a1.1 a2.1 a2.2 a3.1 a4.1 a4.2 a5.1 a6.1 OR OR AND AND AND AND (AND) Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Fraud Concrete

Tamper Usage Data Tamper Measure- ment Tamper Stored Demand Tamper in Network Clear Logged Events Inject Usage Data

OR OR OR AND OR

Disconnect Meter

A1.1

Recover Meter Passwords

A2.1

Physically Tamper Storage

A2.3

Intercept Communi- cations

A3.1

Man in the Middle

A3.2

Spoof Meter

A3.3

Log In and Clear Event History

A1.3

Log In and Reset Net Usage

A2.2

Reset Net Usage

AND

Bypass Meter Reverse Meter

AND

Meter Inversion

A1.2 OR AND AND (a) (b) (c)

20

Tuesday, October 19, 2010

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Enabling Attacks (Fraud)

• Defeating modem “intrusion detection”
• “off hook” events on the line are detected by sensing

presence Foreign Exchange Office (FXO) of dial-tone voltage on the line.

• current calls are dropped if off hook is detected
• such events can simply be suppress easily by preventing

voltage from arriving at the FXO

21

Tuesday, October 19, 2010

Utility Identify Nonce Hash(Password,Nonce) Hash(Password,Nonce')

Valid Authentication Session

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Enabling Attacks (Fraud)

22

Tuesday, October 19, 2010

Utility Identify Nonce Hash(Password,Nonce)

Valid Authentication Session

Utility Identify Nonce Hash(Password,Nonce) Hash(Password,Nonce')

Valid Authentication Session

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Enabling Attacks (Fraud)

22

Tuesday, October 19, 2010

Utility Identify Nonce Hash(Password,Nonce)

Valid Authentication Session

Utility Identify Nonce Hash(Password,Nonce) Hash(Password,Nonce')

Valid Authentication Session

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Enabling Attacks (Fraud)

• Replay attack: I can replay the nonce from a previous session to

impersonate the meter.

22

Tuesday, October 19, 2010

Utility Identify Nonce Hash(Password,Nonce)

Valid Authentication Session

Utility Identify Nonce Hash(Password,Nonce) Hash(Password,Nonce')

Valid Authentication Session

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Enabling Attacks (Fraud)

• Replay attack: I can replay the nonce from a previous session to

impersonate the meter.

Utility Identify Nonce Hash(Password,Nonce) Hash(Password,Nonce')

Replay Attack

Replay Nonce from valid session

• All subsequent messages are the same
• Attacker need not know password

22

Tuesday, October 19, 2010

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Targeted Disconnect AT

Targeted Disconnect Directly Issue Disconnect Issue from Network Issue via Optical Port Recover Meter Passwords Issue Local Disconnect Tamper with Switch Remove Meter Cover Manipulate Switch to Disconnect Replace Tamper Seal

R1.3 R1.4 R2.1 R2.2 R2.3 AND OR OR AND AND

Determine Target ID

• r Address

Issue Remote Disconnect

R1.2 R1.1 AND AND

23

Tuesday, October 19, 2010

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Enabling Attacks (Disconnect)

• Physical tamper “evidence”
• Limited tamper seals, which enables ...
• Passwords are stored in EEPROM
• Physical access to the device can yield all of the data held in

non-volatile memory, which enables ...

• Authentication secrets derived from passwords
• Bypass the authentication system, which enables ...
• Issue disconnect command.

Note: if you can break the dependency chain, you can prevent the attack, i.e., simple measures can often prevent complex attacks.

24

Tuesday, October 19, 2010

Targeted Disconnect Directly Issue Disconnect Issue from Network Issue via Optical Port Recover Meter Passwords Issue Local Disconnect Tamper with Switch Remove Meter Cover Manipulate Switch to Disconnect Replace Tamper Seal

R1.3 R1.4 R2.1 R2.2 R2.3 AND OR OR AND AND

Determine Target ID

• r Address

Issue Remote Disconnect

R1.2 R1.1 AND AND

Recover Meter Passwords

R1.3 / A2.1

Issue Remote Disconnect

R1.2

Trojan Optical Port

r1.1

Physically Extract from Meter

r1.2

Mutually Authenticate with Meter

r2.1

Issue Disconnect Command

r2.2 OR AND (AND) Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Disconnect Concrete

25

Tuesday, October 19, 2010

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Attacks Summary

26

Tuesday, October 19, 2010

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Challenges: Logistical

• Uncooperative meter vendors
• Establishing standards for pen-testing, e.g. collections of

attack trees

• Pen testing products, not deployments

27

Tuesday, October 19, 2010

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Challenges: Methodological

• Enumerating adversarial goals (security is largely

reactive)

• Being comprehensive in attack tree construction
• Automation of the process using existing modeling

techniques such as threat modeling

28

Tuesday, October 19, 2010

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Summary

• Horizontal penetration is now essential
• Transitions of major infrastructure and critical systems

mandates external review of by-sector vulnerabilities.

• Archetypal trees are a way to get there
• Focus energies on adversarial efforts leading to goals
• Approaches goals of certifications like Common Criteria
• Smart grid: Deployments outstripping our ability to

understand and manage vulnerabilities

• Society must get ahead of problems before they lead to

potentially devastating events

• Needs more back-pressure to improve deployed

solutions.

29

Tuesday, October 19, 2010

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Questions?

• Patrick McDaniel (mcdaniel@cse.psu.edu)
• Stephen McLaughlin (smclaugh@cse.psu.edu)
• Project Page: http://siis.cse.psu.edu/smartgrid.html
• Papers
• Stephen McLaughlin, Dmitry Podkuiko, Adam Delozier, Sergei Miadzvezhanka, and Patrick
• McDaniel. Multi-vendor Penetration

Testing in the Advanced Metering Infrastructure. Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC), December 2010. Austin, TX.

• Stephen McLaughlin, Dmitry Podkuiko, Adam Delozier, Sergei Miadzvezhanka, and Patrick
• McDaniel. Embedded Firmware Diversity for Smart Electric Meters. Proceedings of the 5th

Workshop on Hot Topics in Security (HotSec '10), August 2010. Washington, DC.

• Stephen McLaughlin, Dmitry Podkuiko, and Patrick McDaniel. Energy

Theft in the Advanced Metering Infrastructure. In the 4th International Workshop on Critical Information Infrastructure Security, September 2009. Bonn, Germany.

30

Tuesday, October 19, 2010