advanced metering infrastructure security - owasp · – don c. weber, inguardians, 2012 - smart...
TRANSCRIPT
![Page 1: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/1.jpg)
1 of 131 Copyright 2012 InGuardians, Inc.
Advanced Metering Infrastructure Security
John Sawyer, Senior Security Analyst
Don C. Weber, Senior Security Analyst
InGuardians, Inc.
![Page 2: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/2.jpg)
2 of 131 Copyright 2012 InGuardians, Inc.
John Sawyer
• InGuardians, Inc. - Senior Security Analyst
• DarkReading.com - Author/Blogger
• Aspiring Metasploit Module Writer
• Keep finding my ideas have been done
• 1@stplace - Retired CTF packet monkey
– winners DEFCON 14 & 15
• Avid Mountain Biker…in Florida.
![Page 3: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/3.jpg)
3 of 131 Copyright 2012 InGuardians, Inc.
Don C. Weber
• InGuardians, Inc. - Senior Security Analyst
• United States Marine Corps 1991 - 1999
• Plethora of Security Positions
– Certification and Accreditation
– Security Manager
– Incident Responder
– Penetration Tester
• Periodic Blogger
• Python Programmer
• Hardware Smasher
![Page 4: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/4.jpg)
4 of 131 Copyright 2012 InGuardians, Inc.
Agenda
• AMI implementation overview
– Smart meters to the backend resources
• Smart meter assessment techniques & mitigations
• Network configuration & monitoring concerns & mitigations
• Web application vulnerabilities & mitigations
![Page 5: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/5.jpg)
5 of 131 Copyright 2012 InGuardians, Inc.
Research With Caution - Or Die
Image Taken From: http://www.gizmodo.com.au/2009/04/strangely_the_man_in_this_electrifying_photo_is_not_dead_today-2/
![Page 6: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/6.jpg)
6 of 131 Copyright 2012 InGuardians, Inc.
What is the Smart Grid?
![Page 7: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/7.jpg)
7 of 131 Copyright 2012 InGuardians, Inc.
Where is AMI in the Smart Grid?
![Page 8: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/8.jpg)
8 of 131 Copyright 2012 InGuardians, Inc.
AMI Security Concerns
• Grid Instability
– Meters going down (takes ~300 Mw or ~ 1000 to 2000 homes)
– Fluctuation in demand • Drop/Spike in demand during peak/non-peak times
– Resource consolidation could mean external AMI links to other resources of Smart Grid • Substation IT Systems
![Page 9: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/9.jpg)
9 of 131 Copyright 2012 InGuardians, Inc.
AMI Security Concerns
![Page 10: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/10.jpg)
10 of 131 Copyright 2012 InGuardians, Inc.
AMI Security Concerns (2)
• New Technologies
– Increased complexity has reliability as well as security concerns
– Not vetted through YEARS of implementation understanding
– Internet Protocol Version 6
• Information Leakage
– When somebody is home (not a big worry)
– Who will be buying and storing this data?
![Page 11: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/11.jpg)
11 of 131 Copyright 2012 InGuardians, Inc.
Energy Sector - Security Research Challenged
• Engineer Mentality – Change bad
– Why would anybody want to mess with it?
• Extremely Long Equipment Life Cycles – Twenty Years Minimum
• Research and vulnerability disclosure – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit
(SMACK)
– Dale Peterson, Digital Bond, 2012 - SCADA vulnerabilities with Metasploit Modules
– Mike Davis, IOActive, 2009 - Smart Meter Worm Proof of Concept
• Bad press has lasting impacts – Public funding
– Initial Public Offering (IPO)
![Page 12: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/12.jpg)
12 of 131 Copyright 2012 InGuardians, Inc.
Breaking AMI Architecture Down
![Page 13: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/13.jpg)
13 of 131 Copyright 2012 InGuardians, Inc.
External AMI Resources
![Page 14: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/14.jpg)
14 of 131 Copyright 2012 InGuardians, Inc.
Hardware Components and Attack Points
• Data At Rest
– Microcontrollers
– Memory Components
– Radios
• Data In Motion
– Internal Bus
– Wireless
– Optical
![Page 15: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/15.jpg)
15 of 131 Copyright 2012 InGuardians, Inc.
Hardware Analysis – Data On Device
• Firmware
• Passwords, Security Keys, Certificates
• Radio Configurations
• Internal Resource Information
![Page 16: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/16.jpg)
16 of 131 Copyright 2012 InGuardians, Inc.
Radio Analysis Data In Motion - In Air
• Frequency Hopping Spread Spectrum (FHSS)
• Worldwide Interoperability for Microwave Access (WiMAX)
• Code division multiple access (CDMA)
• ZigBee, 6LoWPAN, Wi-Fi
![Page 17: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/17.jpg)
17 of 131 Copyright 2012 InGuardians, Inc.
Tools Of The Smart Meter Assessment Trade
• Protocol Analysis
– Standards Documentation
• Hardware Analysis
– Logic Analyzers, Oscilloscopes, Soldering Tools
– Debuggers, Goodfet
– Optical Probes, SMACK
– Custom Tools and Scripts
![Page 18: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/18.jpg)
18 of 131 Copyright 2012 InGuardians, Inc.
Tools Of The Smart Meter Assessment Trade (2)
• Data Analysis
– IDA Pro, Embedded Compilers
– Custom Disassemblers
– Custom Scripts
• Radio Analysis
– Spectrum Analyzers, USRP
– RFCat, KillerBee, Ubertooth
– Custom hardware and scripts
![Page 19: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/19.jpg)
19 of 131 Copyright 2012 InGuardians, Inc.
External Resources Security Mitigations
• Head-End Management Servers
– Monitor Activity Logs
– Monitor Firmware Integrity
– Identify New, Missing, Returning Devices
– Incident Response Processes
![Page 20: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/20.jpg)
20 of 131 Copyright 2012 InGuardians, Inc.
External Resources Security Mitigations (2)
• Secure Device Design Life Cycles
– Leverage current research and vulnerability knowledge
– Obfuscate and encrypt data at rest and in motion
– Security Analysis of hardware and software
![Page 21: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/21.jpg)
21 of 131 Copyright 2012 InGuardians, Inc.
External Resources Security Mitigations (3)
• Hardware and Service Acquisition
– Requests For Proposals/Requests For Information
– Teams have to include members from IT Security
![Page 22: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/22.jpg)
22 of 131 Copyright 2012 InGuardians, Inc.
Internal AMI Resources
![Page 23: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/23.jpg)
23 of 131 Copyright 2012 InGuardians, Inc.
Internal Network Components
• Internal to External Communication Tunnels
• Application Servers
• Database Servers
• Management Systems
![Page 24: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/24.jpg)
24 of 131 Copyright 2012 InGuardians, Inc.
Internal/DMZ Network Components
![Page 25: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/25.jpg)
25 of 131 Copyright 2012 InGuardians, Inc.
Network Configuration Issues
• Network Segmentation
– Separating the "untrusted" devices from the internal network • Any device outside of the direct control of the facility
should be considered untrusted
Evil lurks here!
![Page 26: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/26.jpg)
26 of 131 Copyright 2012 InGuardians, Inc.
Network Configuration Issues
• Network Segmentation
– Separation of privileges • Utility operations staff
• Server administration
• Customer Service
• Customers
![Page 27: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/27.jpg)
27 of 131 Copyright 2012 InGuardians, Inc.
Network Configuration Issues
• Do you really own the network?
![Page 28: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/28.jpg)
28 of 131 Copyright 2012 InGuardians, Inc.
Network Monitoring
• Where do you monitor?
• Does your IDS/IPS understand?
![Page 29: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/29.jpg)
29 of 131 Copyright 2012 InGuardians, Inc.
Network Monitoring Issues
• Can you monitor?
– Cellular Networks
– Managed Vendor Solution • Network visibility
• Host visibility
![Page 30: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/30.jpg)
30 of 131 Copyright 2012 InGuardians, Inc.
• Know your network!
– Protocols
– Devices
• Work with your vendors
– AMI <- (think SLA)
– IDS/IPS
• Incident response plan
Network Monitoring Mitigations
![Page 31: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/31.jpg)
31 of 131 Copyright 2012 InGuardians, Inc.
AMI Web Application Vulnerabilities
• Are AMI web vulnerabilities unique?
– Cross-Site Scripting
– Cross-Site Request Forgery
– SQL Injection
– Privilege Escalation
– and so on…
![Page 32: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/32.jpg)
32 of 131 Copyright 2012 InGuardians, Inc.
AMI Web Application Vulnerabilities
• What about their impact?
![Page 33: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/33.jpg)
33 of 131 Copyright 2012 InGuardians, Inc.
AMI Web Vulnerability Impact
![Page 34: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/34.jpg)
34 of 131 Copyright 2012 InGuardians, Inc.
• SDLC (yeah, yeah)
• Web application penetration test or vulnerability assessment (maybe)
• Cryptographic signing of all critical requests
• Throttling of critical requests
AMI Web Vulnerability Mitigations
![Page 35: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/35.jpg)
35 of 131 Copyright 2012 InGuardians, Inc.
Smart Grid Security Efforts
• NIST Smart Grid Interoperability Panel (SGiP) - Cyber Security
Working Group (CSWG):http://collaborate.nist.gov/twiki-
sggrid/bin/view/SmartGrid/CyberSecurityCTG
• Advanced Security Acceleration Project for Smart Grid (ASAP-SG) -
developed the AMI Security Profile v2 for SGiP-CSWG/OpenSG AMI-SEC
• Open Smart Grid (OpenSG) - Smart Grid Security:
http://osgug.ucaiug.org/utilisec/default.aspx
• North American Electric Reliability Corporation (NERC) - think PCI-DSS
• DHS:
http://www.smartgrid.gov/federal_initiatives/federal_smart_grid_task_force/depart
ment_of_homeland_security
• DOE: http://energy.gov/oe/technology-development/smart-grid
• ICS-CERT: http://www.us-cert.gov/control_systems/ics-cert/
o Where do AMI vulnerabilities go?
• IEEE Smart Grid: http://smartgrid.ieee.org/
![Page 36: Advanced Metering Infrastructure Security - OWASP · – Don C. Weber, InGuardians, 2012 - Smart Meter Assessment Communications Kit (SMACK) – Dale Peterson, Digital Bond, 2012](https://reader033.vdocuments.mx/reader033/viewer/2022042413/5f2cce659782386a6d59a30e/html5/thumbnails/36.jpg)
36 of 131 Copyright 2012 InGuardians, Inc.
Thank you
• Any Questions?
• Contact information:
John Sawyer
Twitter: @johnhsawyer
Don C. Weber
@cutaway