unified architecture for large- scale attested metering michael lemay george gross carl gunter...
TRANSCRIPT
![Page 1: Unified Architecture for Large- Scale Attested Metering Michael LeMay George Gross Carl Gunter Sanjam Garg](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e3f5503460f94b2f6bb/html5/thumbnails/1.jpg)
Unified Architecture for Large-Scale Attested Metering
Michael LeMay
George Gross
Carl Gunter
Sanjam Garg
![Page 2: Unified Architecture for Large- Scale Attested Metering Michael LeMay George Gross Carl Gunter Sanjam Garg](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e3f5503460f94b2f6bb/html5/thumbnails/2.jpg)
Outline
• Introduction
• Advanced Metering Overview
• Threat Model
• Security Architecture
• Application to Threat Model
• Future Work
![Page 3: Unified Architecture for Large- Scale Attested Metering Michael LeMay George Gross Carl Gunter Sanjam Garg](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e3f5503460f94b2f6bb/html5/thumbnails/3.jpg)
Introduction
• Problem: Advanced Meters exhibit a number of security and privacy vulnerabilities
• Project Objective: Create a secure, private, and extensible architecture for future advanced meters
• Approach: Attested Metering: Apply Trusted Computing (TC) and virtualization technology to secure Advanced Metering network communications and computation
![Page 4: Unified Architecture for Large- Scale Attested Metering Michael LeMay George Gross Carl Gunter Sanjam Garg](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e3f5503460f94b2f6bb/html5/thumbnails/4.jpg)
Advanced Metering Infrastructure (AMI)
• Advanced Meters: Electronic utility meters with bidirectional network connections to the Meter Data Management Agency (MDMA)
• Network types:– RF wireless (ZigBee/802.15.4, Wi-Fi/802.11, proprietary)– Power-Line Communication (PLC)– Broadband over PowerLines (BPL)– Cellular (CDMA, GSM)– Phone line
• Benefits:– Customer control– Demand response– Improved reliability
![Page 5: Unified Architecture for Large- Scale Attested Metering Michael LeMay George Gross Carl Gunter Sanjam Garg](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e3f5503460f94b2f6bb/html5/thumbnails/5.jpg)
Advanced Meter Functions
• Read data such as kWh consumption
• Disconnect/reconnect power remotely
• Request demand response from premise
• Execute diagnostics
• Reset meter (change season mode)
• Set date/time
• Clear tables
• Log in (username/password)
• Log out
![Page 6: Unified Architecture for Large- Scale Attested Metering Michael LeMay George Gross Carl Gunter Sanjam Garg](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e3f5503460f94b2f6bb/html5/thumbnails/6.jpg)
Metering Interactions
![Page 7: Unified Architecture for Large- Scale Attested Metering Michael LeMay George Gross Carl Gunter Sanjam Garg](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e3f5503460f94b2f6bb/html5/thumbnails/7.jpg)
Partial threat model
• Unethical customer– May attempt to modify metering messages to
steal service– Has legitimate physical access to meter, could
modify it
• Overly-intrusive MDMA– Could use high-resolution metering data to
determine behavior of metered residents
• Publicity seeker– Cracker or virus author seeking physical
disruption to garner publicity
Hart, 1989; Residential energy monitoring and computerized surveillance via utility power flows
![Page 8: Unified Architecture for Large- Scale Attested Metering Michael LeMay George Gross Carl Gunter Sanjam Garg](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e3f5503460f94b2f6bb/html5/thumbnails/8.jpg)
Security Architecture Layers
![Page 9: Unified Architecture for Large- Scale Attested Metering Michael LeMay George Gross Carl Gunter Sanjam Garg](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e3f5503460f94b2f6bb/html5/thumbnails/9.jpg)
Security Architecture
• Use hypervisor on embedded processor to isolate metering applications
• Control network communications to external entities to prevent undesirable data leakage
• Use remote attestation to guarantee integrity of system components and individual VMs
![Page 10: Unified Architecture for Large- Scale Attested Metering Michael LeMay George Gross Carl Gunter Sanjam Garg](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e3f5503460f94b2f6bb/html5/thumbnails/10.jpg)
Approach: Unethical Customer
• Review:– May attempt to modify metering messages to steal
service– Has legitimate physical access to meter, could modify
it
• Remote attestation with virtualization verified by MDMA to ensure software was not tampered
• Physical tampering important (and very common) but mostly outside our scope– Sometimes detectable if customer cuts connection to
meter, causing outage notification to be transmitted
![Page 11: Unified Architecture for Large- Scale Attested Metering Michael LeMay George Gross Carl Gunter Sanjam Garg](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e3f5503460f94b2f6bb/html5/thumbnails/11.jpg)
11
Measurement
What software are you running?Certify the software and TPM.OK, I trust you to calculate the bill. MeasurementMeasurementMeasurement
0x5413bcd731a40x5413bcd731a4,0x8baaaf53,…
Approach: Intrusive MDMA
![Page 12: Unified Architecture for Large- Scale Attested Metering Michael LeMay George Gross Carl Gunter Sanjam Garg](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e3f5503460f94b2f6bb/html5/thumbnails/12.jpg)
Virus/Worm Attack
![Page 13: Unified Architecture for Large- Scale Attested Metering Michael LeMay George Gross Carl Gunter Sanjam Garg](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e3f5503460f94b2f6bb/html5/thumbnails/13.jpg)
Virus/Worm Attack
![Page 14: Unified Architecture for Large- Scale Attested Metering Michael LeMay George Gross Carl Gunter Sanjam Garg](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e3f5503460f94b2f6bb/html5/thumbnails/14.jpg)
Future Work
• Address issues surrounding software distribution, updates, and removal
• Port to embedded architecture such as ARM or Atmel AVR, or other microcontroller used in modern meters
• Define and address key management issues
• Explore security-critical value-added applications for advanced meters, such as emergency network retasking
![Page 15: Unified Architecture for Large- Scale Attested Metering Michael LeMay George Gross Carl Gunter Sanjam Garg](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e3f5503460f94b2f6bb/html5/thumbnails/15.jpg)
Questions?
• Website– http://seclab.uiuc.edu/attested-meter
• Michael LeMay– [email protected]
• George Gross– [email protected]
• Carl A. Gunter– [email protected]
![Page 16: Unified Architecture for Large- Scale Attested Metering Michael LeMay George Gross Carl Gunter Sanjam Garg](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e3f5503460f94b2f6bb/html5/thumbnails/16.jpg)
Appendices
![Page 17: Unified Architecture for Large- Scale Attested Metering Michael LeMay George Gross Carl Gunter Sanjam Garg](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e3f5503460f94b2f6bb/html5/thumbnails/17.jpg)
AMI (cont.)
• Standards:– ANSI C12.19:
• Specifies how data is laid out in a meter, in terms of predefined tables
• Meter functions invoked by writing to special table and reading results from other tables
– ANSI C12.18:• Specifies how C12.19 tables are accessed using
an optical port (or RS-232 in rare cases)
– ANSI C12.22:• Similar to C12.18, but works with any network
C12.18 port
![Page 18: Unified Architecture for Large- Scale Attested Metering Michael LeMay George Gross Carl Gunter Sanjam Garg](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e3f5503460f94b2f6bb/html5/thumbnails/18.jpg)
21
Virtualization
• Hypervisors, or Virtual Machine Monitors (VMMs), run entire guest operating systems in isolated system partitions– Provide strong isolation between guests to prevent
software by one vendor from interfering with software by another vendor
![Page 19: Unified Architecture for Large- Scale Attested Metering Michael LeMay George Gross Carl Gunter Sanjam Garg](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e3f5503460f94b2f6bb/html5/thumbnails/19.jpg)
22
Trusted Computing Problem
• Software is controlled by machine operator• Machine operator, software distributor, or
attacker can maliciously subvert software– Modify binary– Run on untrusted hardware– Attach debugger to monitor operation
• Software publisher has no assurance that software is being used in unmodified state, as intended
![Page 20: Unified Architecture for Large- Scale Attested Metering Michael LeMay George Gross Carl Gunter Sanjam Garg](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e3f5503460f94b2f6bb/html5/thumbnails/20.jpg)
Remote Attestation
• Uses keys and Platform Configuration Registers (PCRs) embedded in Trusted Platform Module (TPM) to attest to integrity of system configuration
• Possible assurances:– System running trusted software– System equipped with valid TPM
• Applications can also attest to the states of specific data files
![Page 21: Unified Architecture for Large- Scale Attested Metering Michael LeMay George Gross Carl Gunter Sanjam Garg](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e3f5503460f94b2f6bb/html5/thumbnails/21.jpg)
Approach: Curious Eavesdropper
• Review:– Someone casually spying on neighbor– Probably wouldn’t go beyond scripted attack
tools
• Use network technologies that support per-link encryption, not network-wide shared keys– If necessary, use cryptographic tunnels
![Page 22: Unified Architecture for Large- Scale Attested Metering Michael LeMay George Gross Carl Gunter Sanjam Garg](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e3f5503460f94b2f6bb/html5/thumbnails/22.jpg)
Approach: Motivated Eavesdropper
• Review:– Thief, criminal seeking intelligence on victims– May be willing to physically modify hardware
• “Soft” attacks addressed by strong encryption.
• Physical attacks important but outside our scope
![Page 23: Unified Architecture for Large- Scale Attested Metering Michael LeMay George Gross Carl Gunter Sanjam Garg](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e3f5503460f94b2f6bb/html5/thumbnails/23.jpg)
Approach: Active Attacker
• Review:– Wants to destabilize grid or cause blackout– Could perform DoS to block demand
reduction signals– Could directly attack remote disconnect
function on many meters to disconnect homes and businesses
• Properly authenticate and authorize MDMA, customer, and any other entities with access to control functions on meters.
![Page 24: Unified Architecture for Large- Scale Attested Metering Michael LeMay George Gross Carl Gunter Sanjam Garg](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e3f5503460f94b2f6bb/html5/thumbnails/24.jpg)
Prototype Hardware
• Hardware:– Dell laptop with TPM and USB ZigBee
interface emulating meter– RS-232 connected ammeter– USB-connected UPS emulating battery
backup, outage detection, and frequency measurement
– X10 home automation devices– Desktop PC with RS-232 ZigBee interface
emulating customer PC or MDMA
![Page 25: Unified Architecture for Large- Scale Attested Metering Michael LeMay George Gross Carl Gunter Sanjam Garg](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e3f5503460f94b2f6bb/html5/thumbnails/25.jpg)
Prototype HW Overview
![Page 26: Unified Architecture for Large- Scale Attested Metering Michael LeMay George Gross Carl Gunter Sanjam Garg](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e3f5503460f94b2f6bb/html5/thumbnails/26.jpg)
Prototype Hardware
![Page 27: Unified Architecture for Large- Scale Attested Metering Michael LeMay George Gross Carl Gunter Sanjam Garg](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e3f5503460f94b2f6bb/html5/thumbnails/27.jpg)
Prototype Software
• Java implementation of ANSI C12.19 with C12.22
• Xen Virtual Machine Monitor• Linux Integrity Management
Architecture (IBM)• TrouSerS: IBM Linux TCG Software Stack• jTSS: Java wrapper for TrouSerS
![Page 28: Unified Architecture for Large- Scale Attested Metering Michael LeMay George Gross Carl Gunter Sanjam Garg](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e3f5503460f94b2f6bb/html5/thumbnails/28.jpg)
Prototype Applications
• Consumer portal– Provides realtime data about energy usage,
demand response actions, and audit logs to customer
– Allows customer to:• Verify operation of external network filter• Monitor transmissions from VMs• Check audit logs for administrative actions
performed on meter
![Page 29: Unified Architecture for Large- Scale Attested Metering Michael LeMay George Gross Carl Gunter Sanjam Garg](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e3f5503460f94b2f6bb/html5/thumbnails/29.jpg)
Prototype Applications (cont.)
• Meter Data Management VM– Provides billing data, outage & restoration
notifications, and maintenance information to MDMA
– Accepts price schedules from MDMA
• Demand Response VM– Processes direct Demand Response (DR)
requests from MDMA VM– Enacts customer DR preferences based on
price signals received from MDMA VM
![Page 30: Unified Architecture for Large- Scale Attested Metering Michael LeMay George Gross Carl Gunter Sanjam Garg](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649e3f5503460f94b2f6bb/html5/thumbnails/30.jpg)
How can you help us?
• Please give us feedback!
• Visit our website for more information: http://seclab.uiuc.edu/attested-meter
• We welcome donations of metering hardware and software– Helps us to understand capabilities of
practical devices– Directs our research to help solve actual
problems in real devices