Unified Architecture for LargeScale Attested Metering - PowerPoint PPT Presentation

1 / 30
About This Presentation
Title:

Unified Architecture for LargeScale Attested Metering

Description:

Project Objective: Create a secure, private, and extensible ... Hart, 1989; Residential energy monitoring and computerized surveillance via utility power flows ... – PowerPoint PPT presentation

Number of Views:45
Avg rating:3.0/5.0
Slides: 31
Provided by: michae145
Category:

less

Transcript and Presenter's Notes

Title: Unified Architecture for LargeScale Attested Metering


1
Unified Architecture for Large-Scale Attested
Metering
Michael LeMay George Gross Carl Gunter Sanjam Garg
2
Outline
  • Introduction
  • Advanced Metering Overview
  • Threat Model
  • Security Architecture
  • Application to Threat Model
  • Future Work

3
Introduction
  • Problem Advanced Meters exhibit a number of
    security and privacy vulnerabilities
  • Project Objective Create a secure, private, and
    extensible architecture for future advanced
    meters
  • Approach Attested Metering Apply Trusted
    Computing (TC) and virtualization technology to
    secure Advanced Metering network communications
    and computation

4
Advanced Metering Infrastructure (AMI)
  • Advanced Meters Electronic utility meters with
    bidirectional network connections to the Meter
    Data Management Agency (MDMA)
  • Network types
  • RF wireless (ZigBee/802.15.4, Wi-Fi/802.11,
    proprietary)
  • Power-Line Communication (PLC)
  • Broadband over PowerLines (BPL)
  • Cellular (CDMA, GSM)
  • Phone line
  • Benefits
  • Customer control
  • Demand response
  • Improved reliability

5
Advanced Meter Functions
  • Read data such as kWh consumption
  • Disconnect/reconnect power remotely
  • Request demand response from premise
  • Execute diagnostics
  • Reset meter (change season mode)
  • Set date/time
  • Clear tables
  • Log in (username/password)
  • Log out

6
Metering Interactions
7
Partial threat model
  • Unethical customer
  • May attempt to modify metering messages to steal
    service
  • Has legitimate physical access to meter, could
    modify it
  • Overly-intrusive MDMA
  • Could use high-resolution metering data to
    determine behavior of metered residents
  • Publicity seeker
  • Cracker or virus author seeking physical
    disruption to garner publicity

Hart, 1989 Residential energy monitoring and
computerized surveillance via utility power flows
8
Security Architecture Layers
9
Security Architecture
  • Use hypervisor on embedded processor to isolate
    metering applications
  • Control network communications to external
    entities to prevent undesirable data leakage
  • Use remote attestation to guarantee integrity of
    system components and individual VMs

10
Approach Unethical Customer
  • Review
  • May attempt to modify metering messages to steal
    service
  • Has legitimate physical access to meter, could
    modify it
  • Remote attestation with virtualization verified
    by MDMA to ensure software was not tampered
  • Physical tampering important (and very common)
    but mostly outside our scope
  • Sometimes detectable if customer cuts connection
    to meter, causing outage notification to be
    transmitted

11
Approach Intrusive MDMA
Measurement
What software are you running?
0x5413bcd731a4,0x8baaaf53,
Certify the software and TPM.
0x5413bcd731a4
OK, I trust you to calculate the bill.
Measurement
Measurement
Measurement
11
12
Approach Intrusive MDMA
  • Review
  • Could use high-resolution metering data to
    determine behavior of metered residents
  • Network monitor and irrevocable auditing notify
    customer of MDMA actions
  • Remote attestation permits MDMA to confidently
    perform billing computations locally on meter

13
Metering Workflows
14
Virus/Worm Attack
15
Virus/Worm Attack
16
Publicity seekers
  • Review
  • Cracker or virus author seeking physical
    disruption to garner publicity
  • Application isolation prevents compromised
    applications from affecting other parts of the
    meter.

17
Future Work
  • Address issues surrounding software distribution,
    updates, and removal
  • Port to embedded architecture such as ARM or
    Atmel AVR, or other microcontroller used in
    modern meters
  • Define and address key management issues
  • Explore security-critical value-added
    applications for advanced meters, such as
    emergency network retasking

18
Questions?
  • Website
  • http//seclab.uiuc.edu/attested-meter
  • Michael LeMay
  • mdlemay2_at_cs.uiuc.edu
  • George Gross
  • gross_at_uiuc.edu
  • Carl A. Gunter
  • cgunter_at_cs.uiuc.edu

19
Appendices
20
AMI (cont.)
  • Standards
  • ANSI C12.19
  • Specifies how data is laid out in a meter, in
    terms of predefined tables
  • Meter functions invoked by writing to special
    table and reading results from other tables
  • ANSI C12.18
  • Specifies how C12.19 tables are accessed using an
    optical port (or RS-232 in rare cases)
  • ANSI C12.22
  • Similar to C12.18, but works with any network

C12.18 port
21
Virtualization
  • Hypervisors, or Virtual Machine Monitors (VMMs),
    run entire guest operating systems in isolated
    system partitions
  • Provide strong isolation between guests to
    prevent software by one vendor from interfering
    with software by another vendor

21
22
Trusted Computing Problem
  • Software is controlled by machine operator
  • Machine operator, software distributor, or
    attacker can maliciously subvert software
  • Modify binary
  • Run on untrusted hardware
  • Attach debugger to monitor operation
  • Software publisher has no assurance that software
    is being used in unmodified state, as intended

22
23
Remote Attestation
  • Uses keys and Platform Configuration Registers
    (PCRs) embedded in Trusted Platform Module (TPM)
    to attest to integrity of system configuration
  • Possible assurances
  • System running trusted software
  • System equipped with valid TPM
  • Applications can also attest to the states of
    specific data files

24
Approach Curious Eavesdropper
  • Review
  • Someone casually spying on neighbor
  • Probably wouldnt go beyond scripted attack tools
  • Use network technologies that support per-link
    encryption, not network-wide shared keys
  • If necessary, use cryptographic tunnels

25
Approach Motivated Eavesdropper
  • Review
  • Thief, criminal seeking intelligence on victims
  • May be willing to physically modify hardware
  • Soft attacks addressed by strong encryption.
  • Physical attacks important but outside our scope

26
Approach Active Attacker
  • Review
  • Wants to destabilize grid or cause blackout
  • Could perform DoS to block demand reduction
    signals
  • Could directly attack remote disconnect function
    on many meters to disconnect homes and businesses
  • Properly authenticate and authorize MDMA,
    customer, and any other entities with access to
    control functions on meters.

27
Prototype Hardware
  • Hardware
  • Dell laptop with TPM and USB ZigBee interface
    emulating meter
  • RS-232 connected ammeter
  • USB-connected UPS emulating battery backup,
    outage detection, and frequency measurement
  • X10 home automation devices
  • Desktop PC with RS-232 ZigBee interface emulating
    customer PC or MDMA

28
Prototype HW Overview
29
Prototype Hardware
30
Prototype Software
  • Java implementation of ANSI C12.19 with C12.22
  • Xen Virtual Machine Monitor
  • Linux Integrity Management Architecture (IBM)
  • TrouSerS IBM Linux TCG Software Stack
  • jTSS Java wrapper for TrouSerS

31
Prototype Applications
  • Consumer portal
  • Provides realtime data about energy usage, demand
    response actions, and audit logs to customer
  • Allows customer to
  • Verify operation of external network filter
  • Monitor transmissions from VMs
  • Check audit logs for administrative actions
    performed on meter

32
Prototype Applications (cont.)
  • Meter Data Management VM
  • Provides billing data, outage restoration
    notifications, and maintenance information to
    MDMA
  • Accepts price schedules from MDMA
  • Demand Response VM
  • Processes direct Demand Response (DR) requests
    from MDMA VM
  • Enacts customer DR preferences based on price
    signals received from MDMA VM

33
How can you help us?
  • Please give us feedback!
  • Visit our website for more information
    http//seclab.uiuc.edu/attested-meter
  • We welcome donations of metering hardware and
    software
  • Helps us to understand capabilities of practical
    devices
  • Directs our research to help solve actual
    problems in real devices
Write a Comment
User Comments (0)
About PowerShow.com