Multi-vendor Penetration Testing in the Advanced Metering Infrastructure: Future Challenges

Similar documents
Why we Need Standards for Breaking the Smart Grid

AMI security considerations

WELCOME. Landis+Gyr Technical Training Catalog

What is Really Needed to Secure the Internet of Things?

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz , ICSG 2014

Mobile Application Hacking for ios. 3-Day Hands-On Course. Syllabus

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

TechAdvantage. Steps to Reducing Power Theft Overview: State of the Industry. Rick Schmidt Power System Engineering, Inc.

Goals. Understanding security testing

Jim Sheppard, Director of Business Processes CenterPoint Energy, Texas, USA

Security Issues with Integrated Smart Buildings

Defense in Cyber Space Beating Cyber Threats that Target Mesh Networks

Cyber Security Risk Mitigation Checklist

Professional Penetration Testing Techniques and Vulnerability Assessment ...

Ovation Security Center Data Sheet

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

EnergyAxis System: Security for the Smart Grid

Convergence of Advanced Information and Control Technology in Advanced Metering Infrastructure (AMI) Solution

Lessons Learned from AMI Pioneers Follow the Path to Success

Security Threats in Demo Steinkjer

Patch and Vulnerability Management Program

FORBIDDEN - Ethical Hacking Workshop Duration

OPTIGUARD: A SMART METER ASSESSMENT TOOLKIT

Network Security 101 Multiple Tactics for Multi-layered Security

Information System Audit. Arkansas Administrative Statewide Information System (AASIS) General Controls

Detailed Description about course module wise:

Privacy and Security in library RFID Issues, Practices and Architecture

Fundamentals of Network Security - Theory and Practice-

Deterrent and detection of smart grid meter tampering and theft of electricity, water, or gas

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

ADDENDUM 12 TO APPENDIX 8 TO SCHEDULE 3.3

Update On Smart Grid Cyber Security

1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network

Potential Targets - Field Devices

Securing Cisco Network Devices (SND)

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

ADM:49 DPS POLICY MANUAL Page 1 of 5

Dale Pennington, Managing Director, Utiliworks Consulting LLC, New York, USA

Improving SCADA Control Systems Security with Software Vulnerability Analysis

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

Directed Circuits Meet Today s Security Challenges in Enterprise Remote Monitoring. A White Paper from the Experts in Business-Critical Continuity TM

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

NSA/DHS Centers of Academic Excellence for Information Assurance/Cyber Defense

Executive Summary. AUGUST 2002 Secure Use of VLANs: Security Assessment

Loophole+ with Ethical Hacking and Penetration Testing

Penetration Testing. Presented by

Moving Towards the Smart Grid. Southern California Edison s Advanced Metering Infrastructure (AMI) Program

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

Internet of Things (IoT): Security Awareness. Sandra Liepkalns, CRISC

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

The NES Smart Metering System. The World s Most Advanced Metering System Solution for the Smart Grid

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

The Trivial Cisco IP Phones Compromise

PCI Solution for Retail: Addressing Compliance and Security Best Practices

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Achieving PCI Compliance Using F5 Products

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

RFID Security. April 10, Martin Dam Pedersen Department of Mathematics and Computer Science University Of Southern Denmark

SPARKS Cybersecurity Technology and the NESCOR Failure Scenarios

Understanding Security Testing

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Data Security Concerns for the Electric Grid

Stephen E. McLaughlin

CEH Version8 Course Outline

AMI Use Case: B3 - Utility detects tampering or theft at customer site 03/16/06

Closing Wireless Loopholes for PCI Compliance and Security

Penetration Testing: Lessons from the Field

Technical Security in Smart Metering Devices: A German Perspective S4 SCADA Security Scientific Symposium , Miami Beach FL / USA

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Smart Metering and RF Mesh Networks for Communities

Chapter 4 Managing Your Network

How Cisco Tracks RFID with Active RFID and Wireless LANs

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005

Security vulnerabilities in the Internet and possible solutions

Right-Sizing M2M Security: The Best Security is Security Tailored to Your Application

Who is Watching You? Video Conferencing Security

Certified Ethical Hacker Exam Version Comparison. Version Comparison

ICANWK406A Install, configure and test network security

Avaya TM G700 Media Gateway Security. White Paper

Avaya G700 Media Gateway Security - Issue 1.0

What is Web Security? Motivation

Pension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing An Update

CRYPTUS DIPLOMA IN IT SECURITY

Information Security Assessment and Testing Services RFQ # Questions and Answers September 8, 2014

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Lecture Embedded System Security A. R. Darmstadt, Introduction Mobile Security

Cyber Security Implications of SIS Integration with Control Networks

Smart Grid Security: A Look to the Future

Transcription:

Multi-vendor Penetration Testing in the Advanced ing Infrastructure: Future Challenges DIMACS Workshop on Algorithmic Decision Theory for the Smart Grid Stephen McLaughlin - Penn State University 1

Data Management (for the last 100 years) 2

Data Management (now and in the near future) 18 16 One Day 14 12 10 8 6 4 2 7 6.5 0 6 00:00 04:00 08:00 12:00 16:00 20:00 00:00 5.5 5 One Hour Kw 4.5 4 3.5 3 2.5 2 18:00:00 18:10:00 18:20:00 18:30:00 18:40:00 18:50:00 19:00:00 3

Data Management (now and in the near future) 18 16 14 12 10 Peak TransientOne Day Hourly Average Peak Usage Peak Usage Outages 8 6 4 7 2 6.5 Time of Use 0 6 Repetitive Features 00:00 04:00 08:00 12:00 16:00 20:00 00:00 5.5 5 Kw 4.5 4 Power Quality 3.5 3 2.5 over time 2 18:00:00 18:10:00 18:20:00 18:30:00 18:40:00 18:50:00 19:00:00 One Hour Types of appliances Tampering 4

AMI - the justification Automated Reading Pre-smart meter automated reading and outage notification Now expanding to Internet-connected SCADA systems Dynamic pricing schemes Time Of Use (peak load management) Maximum demand Demand response Flexible energy generation Enable consumer generation Alternate energy sources 5

AMI - the concerns What should we be concerned about? Accuracy/Fraud Consumer privacy National security 6

Penetration Testing AMI The organization assesses the security requirements in the Smart Grid information system on an organization-defined frequency to determine the extent the requirements are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the Smart Grid information system. -p 117 7

Vulnerability Assessment Penetration testing: the art and science of breaking systems by applying attacker tools against live systems. Destructive research attempts to illuminate the exploitable flaws and effectiveness of security infrastructure. Bottom line Q/A Q: why are we doing this? A: part of Lockheed-Martin grant to aid energy industry in identifying problems before they are found in the wild. Q: what are we doing? A: evaluating a number of vendor products in the lab that are used in neighborhood-level deployments, i.e., we only look at the meters and collectors. 8

AMI Architectures Collectors Repeaters Cellular Internet PSTN LAN 1: Power Line Communication Utility Server Backhaul Network... Collector Repeater LAN 2: RF Mesh 9

Attack Trees A means for pen-testing planning Tamper Measurement Tamper Usage Data Tamper Stored Demand (a) (b) (c) Bypass Reverse Reset Net Usage Physically Tamper Storage A2.3 Tamper in Network Intercept Communications A3.1 Inject Usage Data A1.1 Clear Logged Events Inversion A1.2 Log In and Reset Net Usage A2.2 Man in the Middle A3.2 Spoof A3.3 Log In and Clear Event History A1.3 Recover Passwords A2.1 10

Archetypal Trees Idea: can we separate the issues that are vendor independent from those that are specific to the vendor/ device, e.g., access media? Adversarial Goal A B Attack Grafting... then reuse an archetypal tree as a base for each vendor specific concrete tree. A S1 A S2 B Archetypal Tree Concrete Trees Archetypal Tree Concrete Trees 11

Pen Testing via Archetypal Trees 1. capture architectural description 2. construct archetypal trees (for each attacker goal) 3. capture vendor-specific description (for SUT) 4. construct concrete tree 5. perform penetration testing and graft leaves toward goals This paper: 3 Attack trees: fraud, DOS, disconnect, 2 "systems under test" (SUT) 12

Construction of Archetypal Trees Forge Demand 13

Construction of Archetypal Trees Forge Demand Interrupt Measurement 14

Construction of Archetypal Trees Forge Demand Interrupt Measurement Inversion Erase Logged Events 15

Construction of Archetypal Trees Forge Demand Interrupt Measurement Inversion Erase Logged Events Extract Passwords Tamper in Flight 16

Construction of Archetypal Trees Forge Demand Interrupt Measurement Inversion A1.1 A1.2 Erase Logged Events Extract Passwords Tamper in Flight 17

Construction of Archetypal Trees Forge Demand Interrupt Measurement Inversion A1.1 A1.2 Erase Logged Events Two rules for termination: 1. Attack is on a vendor-specific component 2. Target may be guarded by a protection mechanism Extract Passwords Tamper in Flight A2.1 A2.2 18

System Under Test PSTN connected collector ANSI C12.21 intrusion detection PBX Rcvr " " " " " Radio 120V AC Modem " " " " Collector Repeater Load Infrared Load Repeater Attacker Machine Utility Machine 900 MHz wireless mesh collector/meter network Infrared near-field security for configuration port 19

Fraud Concrete Tamper Usage Data Tamper Tamper (a) Measurement (b) Stored (c) Demand Bypass Reverse Reset Net Usage Physically Tamper Storage A2.3 Tamper in Network Intercept Communications A3.1 Inject Usage Data A1.1 Clear Logged Events Inversion A1.2 Log In and Reset Net Usage A2.2 Man in the Middle A3.2 Spoof A3.3 Log In and Clear Event History A1.3 Recover Passwords A2.1 () Splice Into I/O Bus a1.1 A3.1 A3.3 Intercept Communications Via Telephone Via Wireless Mesh a3.1 Initiate Session with Utility Spoof Run Diagnostic up to Usage Data Transmit Forged Usage Data a5.1 a6.1 Interpose on Collector PSTN Link Circumvent Intrusion Detection a2.1 a2.2 Identify Self as Complete Authentication Round a4.1 a4.2 20

Enabling Attacks (Fraud) Defeating modem intrusion detection off hook events on the line are detected by sensing presence Foreign Exchange Office (FXO) of dial-tone voltage on the line. current calls are dropped if off hook is detected such events can simply be suppress easily by preventing voltage from arriving at the FXO 21

Enabling Attacks (Fraud) Valid Authentication Session Identify Nonce Hash(Password,Nonce) Utility Hash(Password,Nonce') 22

Enabling Attacks (Fraud) Valid Authentication Session Valid Authentication Session Utility Utility Identify Identify Nonce Nonce Hash(Password,Nonce) Hash(Password,Nonce) Hash(Password,Nonce') 22

Enabling Attacks (Fraud) Valid Authentication Session Valid Authentication Session Utility Utility Identify Identify Nonce Nonce Hash(Password,Nonce) Hash(Password,Nonce) Hash(Password,Nonce') Replay attack: I can replay the nonce from a previous session to impersonate the meter. 22

Enabling Attacks (Fraud) Valid Authentication Session Valid Authentication Session Utility Utility Identify Identify Nonce Nonce Hash(Password,Nonce) Hash(Password,Nonce) Hash(Password,Nonce') Replay attack: I can replay the nonce from a previous session to impersonate the meter. Replay Attack Utility Identify Nonce Hash(Password,Nonce) Hash(Password,Nonce') Replay Nonce from valid session All subsequent messages are the same Attacker need not know password 22

Targeted AT Targeted Issue from Network Issue via Optical Port Directly Issue Remove Cover Tamper with Switch Manipulate Switch to Replace Tamper Seal R2.1 R2.2 R2.3 Determine Target ID or Address R1.1 Issue Remote R1.2 Recover Passwords Issue Local R1.3 R1.4 23

Enabling Attacks () Physical tamper evidence Limited tamper seals, which enables... Passwords are stored in EEPROM Physical access to the device can yield all of the data held in non-volatile memory, which enables... Authentication secrets derived from passwords Bypass the authentication system, which enables... Issue disconnect command. Note: if you can break the dependency chain, you can prevent the attack, i.e., simple measures can often prevent complex attacks. 24

Concrete Targeted Issue from Network Issue via Optical Port Directly Issue Remove Cover Tamper with Switch Manipulate Switch to Replace Tamper Seal R2.1 R2.2 R2.3 Determine Target ID or Address R1.1 Issue Remote R1.2 Recover Passwords Issue Local R1.3 R1.4 () Trojan Optical Port r1.1 R1.3 / A2.1 Recover Passwords Physically Extract from r1.2 Mutually Authenticate with r2.1 R1.2 Issue Remote Issue Command r2.2 25

Attacks Summary 26

Challenges: Logistical Uncooperative meter vendors Establishing standards for pen-testing, e.g. collections of attack trees Pen testing products, not deployments 27

Challenges: Methodological Enumerating adversarial goals (security is largely reactive) Being comprehensive in attack tree construction Automation of the process using existing modeling techniques such as threat modeling 28

Summary Horizontal penetration is now essential Transitions of major infrastructure and critical systems mandates external review of by-sector vulnerabilities. Archetypal trees are a way to get there Focus energies on adversarial efforts leading to goals Approaches goals of certifications like Common Criteria Smart grid: Deployments outstripping our ability to understand and manage vulnerabilities Society must get ahead of problems before they lead to potentially devastating events Needs more back-pressure to improve deployed solutions. 29

Questions? Patrick McDaniel (mcdaniel@cse.psu.edu) Stephen McLaughlin (smclaugh@cse.psu.edu) Project : http://siis.cse.psu.edu/smartgrid.html Papers Stephen McLaughlin, Dmitry Podkuiko, Adam Delozier, Sergei Miadzvezhanka, and Patrick McDaniel. Multi-vendor Penetration Testing in the Advanced ing Infrastructure. Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC), December 2010. Austin, TX. Stephen McLaughlin, Dmitry Podkuiko, Adam Delozier, Sergei Miadzvezhanka, and Patrick McDaniel. Embedded Firmware Diversity for Smart Electric s. Proceedings of the 5th Workshop on Hot Topics in Security (HotSec '10), August 2010. Washington, DC. Stephen McLaughlin, Dmitry Podkuiko, and Patrick McDaniel. Energy Theft in the Advanced ing Infrastructure. In the 4th International Workshop on Critical Information Infrastructure Security, September 2009. Bonn, Germany. 30

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information