Multi-vendor Penetration Testing in the Advanced Metering Infrastructure: Future Challenges

Transcription

1 Multi-vendor Penetration Testing in the Advanced ing Infrastructure: Future Challenges DIMACS Workshop on Algorithmic Decision Theory for the Smart Grid Stephen McLaughlin - Penn State University 1

2 Data Management (for the last 100 years) 2

3 Data Management (now and in the near future) One Day :00 04:00 08:00 12:00 16:00 20:00 00: One Hour Kw :00:00 18:10:00 18:20:00 18:30:00 18:40:00 18:50:00 19:00:00 3

4 Data Management (now and in the near future) Peak TransientOne Day Hourly Average Peak Usage Peak Usage Outages Time of Use 0 6 Repetitive Features 00:00 04:00 08:00 12:00 16:00 20:00 00: Kw Power Quality over time 2 18:00:00 18:10:00 18:20:00 18:30:00 18:40:00 18:50:00 19:00:00 One Hour Types of appliances Tampering 4

5 AMI - the justification Automated Reading Pre-smart meter automated reading and outage notification Now expanding to Internet-connected SCADA systems Dynamic pricing schemes Time Of Use (peak load management) Maximum demand Demand response Flexible energy generation Enable consumer generation Alternate energy sources 5

6 AMI - the concerns What should we be concerned about? Accuracy/Fraud Consumer privacy National security 6

7 Penetration Testing AMI The organization assesses the security requirements in the Smart Grid information system on an organization-defined frequency to determine the extent the requirements are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the Smart Grid information system. -p 117 7

8 Vulnerability Assessment Penetration testing: the art and science of breaking systems by applying attacker tools against live systems. Destructive research attempts to illuminate the exploitable flaws and effectiveness of security infrastructure. Bottom line Q/A Q: why are we doing this? A: part of Lockheed-Martin grant to aid energy industry in identifying problems before they are found in the wild. Q: what are we doing? A: evaluating a number of vendor products in the lab that are used in neighborhood-level deployments, i.e., we only look at the meters and collectors. 8

9 AMI Architectures Collectors Repeaters Cellular Internet PSTN LAN 1: Power Line Communication Utility Server Backhaul Network... Collector Repeater LAN 2: RF Mesh 9

10 Attack Trees A means for pen-testing planning Tamper Measurement Tamper Usage Data Tamper Stored Demand (a) (b) (c) Bypass Reverse Reset Net Usage Physically Tamper Storage A2.3 Tamper in Network Intercept Communications A3.1 Inject Usage Data A1.1 Clear Logged Events Inversion A1.2 Log In and Reset Net Usage A2.2 Man in the Middle A3.2 Spoof A3.3 Log In and Clear Event History A1.3 Recover Passwords A2.1 10

11 Archetypal Trees Idea: can we separate the issues that are vendor independent from those that are specific to the vendor/ device, e.g., access media? Adversarial Goal A B Attack Grafting... then reuse an archetypal tree as a base for each vendor specific concrete tree. A S1 A S2 B Archetypal Tree Concrete Trees Archetypal Tree Concrete Trees 11

12 Pen Testing via Archetypal Trees 1. capture architectural description 2. construct archetypal trees (for each attacker goal) 3. capture vendor-specific description (for SUT) 4. construct concrete tree 5. perform penetration testing and graft leaves toward goals This paper: 3 Attack trees: fraud, DOS, disconnect, 2 "systems under test" (SUT) 12

13 Construction of Archetypal Trees Forge Demand 13

14 Construction of Archetypal Trees Forge Demand Interrupt Measurement 14

15 Construction of Archetypal Trees Forge Demand Interrupt Measurement Inversion Erase Logged Events 15

16 Construction of Archetypal Trees Forge Demand Interrupt Measurement Inversion Erase Logged Events Extract Passwords Tamper in Flight 16

17 Construction of Archetypal Trees Forge Demand Interrupt Measurement Inversion A1.1 A1.2 Erase Logged Events Extract Passwords Tamper in Flight 17

18 Construction of Archetypal Trees Forge Demand Interrupt Measurement Inversion A1.1 A1.2 Erase Logged Events Two rules for termination: 1. Attack is on a vendor-specific component 2. Target may be guarded by a protection mechanism Extract Passwords Tamper in Flight A2.1 A2.2 18

19 System Under Test PSTN connected collector ANSI C12.21 intrusion detection PBX Rcvr " " " " " Radio 120V AC Modem " " " " Collector Repeater Load Infrared Load Repeater Attacker Machine Utility Machine 900 MHz wireless mesh collector/meter network Infrared near-field security for configuration port 19

20 Fraud Concrete Tamper Usage Data Tamper Tamper (a) Measurement (b) Stored (c) Demand Bypass Reverse Reset Net Usage Physically Tamper Storage A2.3 Tamper in Network Intercept Communications A3.1 Inject Usage Data A1.1 Clear Logged Events Inversion A1.2 Log In and Reset Net Usage A2.2 Man in the Middle A3.2 Spoof A3.3 Log In and Clear Event History A1.3 Recover Passwords A2.1 () Splice Into I/O Bus a1.1 A3.1 A3.3 Intercept Communications Via Telephone Via Wireless Mesh a3.1 Initiate Session with Utility Spoof Run Diagnostic up to Usage Data Transmit Forged Usage Data a5.1 a6.1 Interpose on Collector PSTN Link Circumvent Intrusion Detection a2.1 a2.2 Identify Self as Complete Authentication Round a4.1 a4.2 20

21 Enabling Attacks (Fraud) Defeating modem intrusion detection off hook events on the line are detected by sensing presence Foreign Exchange Office (FXO) of dial-tone voltage on the line. current calls are dropped if off hook is detected such events can simply be suppress easily by preventing voltage from arriving at the FXO 21

22 Enabling Attacks (Fraud) Valid Authentication Session Identify Nonce Hash(Password,Nonce) Utility Hash(Password,Nonce') 22

23 Enabling Attacks (Fraud) Valid Authentication Session Valid Authentication Session Utility Utility Identify Identify Nonce Nonce Hash(Password,Nonce) Hash(Password,Nonce) Hash(Password,Nonce') 22

24 Enabling Attacks (Fraud) Valid Authentication Session Valid Authentication Session Utility Utility Identify Identify Nonce Nonce Hash(Password,Nonce) Hash(Password,Nonce) Hash(Password,Nonce') Replay attack: I can replay the nonce from a previous session to impersonate the meter. 22

25 Enabling Attacks (Fraud) Valid Authentication Session Valid Authentication Session Utility Utility Identify Identify Nonce Nonce Hash(Password,Nonce) Hash(Password,Nonce) Hash(Password,Nonce') Replay attack: I can replay the nonce from a previous session to impersonate the meter. Replay Attack Utility Identify Nonce Hash(Password,Nonce) Hash(Password,Nonce') Replay Nonce from valid session All subsequent messages are the same Attacker need not know password 22

26 Targeted AT Targeted Issue from Network Issue via Optical Port Directly Issue Remove Cover Tamper with Switch Manipulate Switch to Replace Tamper Seal R2.1 R2.2 R2.3 Determine Target ID or Address R1.1 Issue Remote R1.2 Recover Passwords Issue Local R1.3 R1.4 23

27 Enabling Attacks () Physical tamper evidence Limited tamper seals, which enables... Passwords are stored in EEPROM Physical access to the device can yield all of the data held in non-volatile memory, which enables... Authentication secrets derived from passwords Bypass the authentication system, which enables... Issue disconnect command. Note: if you can break the dependency chain, you can prevent the attack, i.e., simple measures can often prevent complex attacks. 24

28 Concrete Targeted Issue from Network Issue via Optical Port Directly Issue Remove Cover Tamper with Switch Manipulate Switch to Replace Tamper Seal R2.1 R2.2 R2.3 Determine Target ID or Address R1.1 Issue Remote R1.2 Recover Passwords Issue Local R1.3 R1.4 () Trojan Optical Port r1.1 R1.3 / A2.1 Recover Passwords Physically Extract from r1.2 Mutually Authenticate with r2.1 R1.2 Issue Remote Issue Command r2.2 25

29 Attacks Summary 26

30 Challenges: Logistical Uncooperative meter vendors Establishing standards for pen-testing, e.g. collections of attack trees Pen testing products, not deployments 27

31 Challenges: Methodological Enumerating adversarial goals (security is largely reactive) Being comprehensive in attack tree construction Automation of the process using existing modeling techniques such as threat modeling 28

32 Summary Horizontal penetration is now essential Transitions of major infrastructure and critical systems mandates external review of by-sector vulnerabilities. Archetypal trees are a way to get there Focus energies on adversarial efforts leading to goals Approaches goals of certifications like Common Criteria Smart grid: Deployments outstripping our ability to understand and manage vulnerabilities Society must get ahead of problems before they lead to potentially devastating events Needs more back-pressure to improve deployed solutions. 29

33 Questions? Patrick McDaniel Stephen McLaughlin Project : Papers Stephen McLaughlin, Dmitry Podkuiko, Adam Delozier, Sergei Miadzvezhanka, and Patrick McDaniel. Multi-vendor Penetration Testing in the Advanced ing Infrastructure. Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC), December Austin, TX. Stephen McLaughlin, Dmitry Podkuiko, Adam Delozier, Sergei Miadzvezhanka, and Patrick McDaniel. Embedded Firmware Diversity for Smart Electric s. Proceedings of the 5th Workshop on Hot Topics in Security (HotSec '10), August Washington, DC. Stephen McLaughlin, Dmitry Podkuiko, and Patrick McDaniel. Energy Theft in the Advanced ing Infrastructure. In the 4th International Workshop on Critical Information Infrastructure Security, September Bonn, Germany. 30