ENEE 4999 X10

ENEE 5910 X11

Advanced Metering Infrastructure

and Cyber Security

Dr. Raziq Yaqub

raziq-yaqub@utc.edu
dr.raziq@gmail.com

1 of 53
by Dr. Raziq Yaqub

Warning !
This Material MUST NOT BE
Copied, Reproduced or Forwarded

Chapter 03-A
AMI and Security Aspects at
Subscriber End and Network

2 of 53
by Dr. Raziq Yaqub

1
 Contents

US Federal Government Efforts to Secure Smart Grids

Security Need and Security Definition
Security Requirements, Threats, Vulnerabilities
Architecture of Cyber Security and Security Protocols
Logical Reference Model and interfaces of Cyber Security
Cryptography and Key Management
Energy Theft and Vulnerabilities
In-Home Security / Privacy Aspects
Smart Metering Programs
DOE Efforts to Secure Smart Grids
FERC Efforts to Secure Smart Grids

3 of 53
by Dr. Raziq Yaqub

Setting the Stage

4
by Dr. Raziq Yaqub

2
Why Security is Needed?

Protect vital information

While still allowing access to those who need it
For Example: Trade secrets, Medical Records,

Provide Authentication and Access Control

for resources
For Example Telephone Network

Guarantee Availability of Resources

5 of 53
by Dr. Raziq Yaqub

Who is Vulnerable?

Government, Citizen

Utility/Service Providers Network , and End Users

Phone , Internet Energy, Water, Gas

Financial Institutions and Subscribers

6 of 53
by Dr. Raziq Yaqub

3
What to Secure?

Physical Security
Protect
Facilities
Buildings
Properties
Houses

7
by Dr. Raziq Yaqub

What to Secure?

Hardware Security
Protect hardware e.g.
Computers
Networks
Routers
Channels (to prevent eavesdroppers)

8
by Dr. Raziq Yaqub

4
What to Secure?

Software
Protect soft wares, e.g.
Operating systems
Server protocols
Application Software

9
by Dr. Raziq Yaqub

What to Secure in Smart Grid?

Initially most of the smart grid would not be on the Internet, BUT
Attack may be started from

Hacked Meter
Hacked Concentrator
Hacked sub-station

10
by Dr. Raziq Yaqub

5
What to Secure in Smart Grid?

Protect and Secure National Infrastructure of

Strong interdependence
Electric Grid RIGHT NOW!! of these Infrastructures
can produce
Telecommunications
cascading effect

11
by Dr. Raziq Yaqub

Why?
Secure Infrastructure

SECURITY is an ISSUE

No longer an add-on
or a feature

September 11, 2001, was a wake up call

Protect & Secure National Infrastructure

12
by Dr. Raziq Yaqub

6
Why?
Secure Infrastructure

Industry Reshaping
Mergers, Acquisition, Privatization

Competition increasing

Reliance on Computers Systems becoming heavy

For decision making

13
by Dr. Raziq Yaqub

Why?
Secure Infrastructure

Risk of Terrorism increasing

14
by Dr. Raziq Yaqub

7
US Federal Government Efforts for Cyber Security
Government Steps
Several Programs

Physical Security Risk Response

Employment Screening Risk assessment
Buildings Security Threat response Capability

Cyber Security Emergency management

Protecting Systems Continuity of business

(Communications, Grids, etc.) processes

Protecting Information

by Dr. Raziq Yaqub

US Federal Government Efforts for Cyber Security

Government Steps
Policies

For Example:

NERC (North American Reliability Corporation)

CIPAG (Critical Infrastructure Protection Advisory Group)

NIPC (National Infrastructure Protection Center)

ES-ISAC (Information Sharing and Analysis Center)

by Dr. Raziq Yaqub

8
US Federal Government Efforts for Cyber Security

Government Steps
Initiatives

Developed PKI (Public Key Infrastructure)

Developed SED (Spare Equipment Database)
Developed Security Guidelines for the electric sector
Developed Security Policy

17
by Dr. Raziq Yaqub

US Federal Government Efforts for Cyber Security

Government Steps
Initiatives
Establishment of CIN/SI
Complex Interactive Network/Systems Initiative)

A joint program of
Department of Defense
Electric Power Research Institute

Objectives CIN/SI
Develop techniques
To face threats and failures
To avoid cascading effect
For Self-healing infrastructure

18 of 53
by Dr. Raziq Yaqub

9
Security Definition

19
by Dr. Raziq Yaqub

Security Definition

Information
But still allowing
Protecting Services access to users
Protecting ICS/CI

Protecting information from

Unauthorized access
Unauthorized modification
Unauthorized use
Unauthorized disclosure

It includes securing
Network and allied infrastructure,
Applications and databases,

20
by Dr. Raziq Yaqub

10
Threats Attacks Vulnerabilities

21
by Dr. Raziq Yaqub

Security Threats, Attacks, Vulnerabilities

Threat
Expressed potential for occurrence of
harmful event (such as an attack)

22
by Dr. Raziq Yaqub

11
Security Threats, Attacks, Vulnerabilities

Vulnerability (week point)

Weakness that makes targets susceptible to
an attack

Vulnerability is the weakest link in the chain

A system aspect that allows someone to launch a successful attack
Also called a security hole

Security Weakness (Vs. Vulnerability)

It is like a vulnerability whose risk is unclear
Several weaknesses might combine to yield a full-fledged vulnerability

23
by Dr. Raziq Yaqub

Vulnerability Points

Use of removable Devices e.g.

Wi-Fi enabled device connecting to Data Acquision system
Infected Bluetooth enabled devices

Insufficiently secure Access Networks e.g.

Wi-Fi, WAN, MAN

24
by Dr. Raziq Yaqub

12
Vulnerability Points

Insufficiently secure network entities e.g.

Corporate web server
Email servers
Internet gateways

Insufficiently secure protocols e.g.

DNP3 implements TLS & SSL encryption which Is week
IEC 61850 standard is still week

25
by Dr. Raziq Yaqub

Security Threats, Attacks, Vulnerabilities

Attack
Action with the intention of doing harm
Action that compromises the security

26
by Dr. Raziq Yaqub

13
Virus/Worm Attack

Hacked for
ENERGY
THEFT

27
by Dr. Raziq Yaqub

Virus/Worm Attack

GRID
ATTACK
LAUNCHED

28
by Dr. Raziq Yaqub

14
Attack from HAN
Will a trusted Utility-controllable, or
logical entity
network be used? EMS-controllable, or
managing all devices Self-controllable
Energy Management
System
Registered devices

Non-registered devices

home EMS IHD

gateway
EVSE PEV
Smart AMI
EUMD DER
meter meter

IHD = In Home Devices

EVSE = Electric Vehicle Supply Equipment
EUMD = Essential Unscheduled Maintenance Demand
PEV = Plug-in Electric Vehicle
DER = Distributed Energy Resources

29 of 53
by Dr. Raziq Yaqub

Types of attacks

Attacks

Active Attack Passive

Active attacks (actively modifying, or controlling data)

Hardware Failure

Gain Access to control, modify, spoof, or hijack, data or service

Destabilize Grid (Altering load conditions, may result in cascading effects)

Virus Attack (virus arrives via internet & resides in computer system

DOS Attack (Denial of Service)

30
by Dr. Raziq Yaqub

15
Types of attacks (contd.)
Attacks

Active Attack Passive Attack

Difficult to perform, but very powerful

They do not involve any alteration of data
Passive attacks
Misuse of Service
Access without authentication and enjoy services
Industrial Spying/Analysis
Access without Authentication and leak the information
Eavesdropping
Monitoring of transmission

31
by Dr. Raziq Yaqub

Common Security Attacks

Finding a way into the network

Exploiting Software Bugs, Viruses

Packet sniffing

TCP hijacking

Denial of Service (Making a network service unusable

Usually by overloading the server or network)

32 of 53
by Dr. Raziq Yaqub

16
Denial Of Service

Types of DoS attacks

Flooding
Send packets with bogus source address.
Server keeps connection open, eventually its memory is exhausted

SMURF 33 of 53
Source IP address of a broadcast ping is forged
Large number of machines respond back to victim, overloading it

Distributed Denial of Service

Same techniques as regular DoS, but on a much larger scale

by Dr. Raziq Yaqub

Attack (Example-1)

1. Covert Channel
Pretends to be an applications that most firewalls permit through. While in
fact it carries immoral data in control fields in the TCP and IP headers

Exchange of information starts

HTTP Tunnel

Permit Outbound HTTP Corporate

Internet

Hidden Message
inside HTTP Firewall

by Dr. Raziq Yaqub

17
Attack (Example-2)

Examples of Real World security Attacks

2. DNS Anomalies

THINK: 2
If DNS is
compromised
3

1
4

by Dr. Raziq Yaqub

Attack (Example-3)

Examples of Real World security Attacks

3. Code injections

Injecting code into a vulnerable computer program and changing the

course of execution

by Dr. Raziq Yaqub

18
Attack (Example-4)

Examples of Real World security Attacks

4. Self Signed certificates
To secure both external and internal communications
Certificate signed by CAs (Certificate Authorities) are used
BUT, due to increased attacks on CAs, we can use self-signed certificates
However, self-signed certificates can not be monitored, therefore cyber-
criminals may exploit this strategy and turn it into a weakness/attack

by Dr. Raziq Yaqub

Attack (Example-5)

Examples of Real World security Attacks

Man in Middle (MiTM) Attack
Attacker secretly relays and possibly alters the communication between two
parties who believe they are directly communicating with each other

by Dr. Raziq Yaqub

19
Dictionary Attack (Example-6)

Run a dictionary attack on the passwords

Thus passwords should be meaningless random junk
For example, sdfo839f is a good password

39 of 53
by Dr. Raziq Yaqub

TCP Attack

Alice and Bob have established TCP Connection

40 of 53
by Dr. Raziq Yaqub

20
TCP Attack

Attacker Sniffs the packets and learns about the associated TCP state
for the connection

41 of 53
by Dr. Raziq Yaqub

TCP Attack

42 of 53
by Dr. Raziq Yaqub

21
TCP Attack

Attacker lies on the path between Alice and Bob on the network
He intercepts all of their packets

43 of 53
by Dr. Raziq Yaqub

TCP Attack

Packets

The Void

Attacker may drop all of Alices original packets

44 of 53
by Dr. Raziq Yaqub

22
TCP Attack

ISN, SRC=Alice

Attacker may inset his malicious packets

45 of 53
by Dr. Raziq Yaqub

How do we prevent TCP Attack?

IPSec
Provides source authentication, so attacker cannot pretend to be Alice
Encrypts data before transport, so attacker cannot talk to Bob without
knowing what the session key is

46 of 53
by Dr. Raziq Yaqub

23
Counter Measures to Attacks

Finding a way into the network

Counter Measure: Firewalls

Exploiting Software Bugs, Viruses

Counter Measure: Intrusion Detection Systems

Denial of Service
Counter Measure: Ingress Filtering

Packet sniffing
Counter Measure: Encryption (SSH, SSL, HTTPS)

TCP hijacking
Counter Measure: IPSec

47 of 53
by Dr. Raziq Yaqub

Firewalls

Way to limit access to the network

Firewall is like a castle with a drawbridge
Only one point of access into the network

48 of 53
by Dr. Raziq Yaqub

24
Firewalls

DMZ
Web server, email server, Unauthorized
web proxy, etc. Traffic is Rejected

49 of 53
by Dr. Raziq Yaqub

Firewalls

Packet filtering firewalls

Used to filter packets based on a combination of features

Some routers come with firewall functionality

Examples : Unix systems, Windows XP and Mac have built in firewall

Firewall is kept up-to-date by administrators

50 of 53
by Dr. Raziq Yaqub

25
Intrusion Detection

Uses intrusion signatures

Well known patterns of behavior

Statistical Ways
Trace out origin of unauthorized user
Keep record of unauthorized user
Initiate Security Alarm, if same intruder tries to re-attack

51 of 53
by Dr. Raziq Yaqub

Ingress filtering

Ingress filtering
Filter the packet if source IP of a packet comes in on an interface which does
not have a route to that packet
RFC 2267 has more information about this

52 of 53
by Dr. Raziq Yaqub

26
Packet Sniffing

Counter Measure:
Cryptography (Art of Encryption and Decryption)
Technique to defend data in transit between systems

Encryption
Plain Text (information) transformed To unreadable Text
Only the intended receiver (who has a key) can read the text

Ciphering
Plain Text Unreadable Text
--------- ---------
--------- ---------
--------- Transformation ---------
--------- ---------

53 of 53
by Dr. Raziq Yaqub

Packet Sniffing

Counter Measure:
Cryptography (Art of Encryption and Decryption)
Technique to defend data in transit between systems

Decryption
Unreadable Text (information) transformed To Plain Text
Only the intended receiver (who has a key) can read the text

De-Ciphering
Unreadable Text Plain Text
--------- ---------
--------- ---------
--------- Transformation ---------
--------- ---------

54 of 53
by Dr. Raziq Yaqub

27
Cryptography

Objectives
Detect attack
Prevent attack Coming
Recover from attack Attraction

Standards

Cryptographic Standards

RSA (Remote Secure Access)

DSA (Digital Signature Algorithm)
DES (Data Encryption Standard)
MD5 (Message Digest 5 Algorithm)
SHA1 (Secure Hash Algorithm Version 1.0)

55 of 53
by Dr. Raziq Yaqub

RSA Provides Assurance

Analogy (Replica of function associated with physical documents, e.g.

Paper Document Digital Document

Original or copy can be distinguished Original/copy cannot be
distinguished
Alteration may leave some
trace of alteration Alteration doesnt leave
trace of alteration

May have some sort of authenticity Does not have any sort of
authenticity

56
by Dr. Raziq Yaqub

28
 Covered-material Review Questions
(CRQ)

CRQ# 03-01

57
by Dr. Raziq Yaqub

CRQ1

Pick the most accurate statement

Steps taken by US Government for securing infrastructures include:
A. Establishing of Financial Institutions to research on identity theft
B. Promoting Security as an add an features over all utility networks
C. Devising joint programs, policies, and initiatives, to combat security risks
D. Encouraging Competition among the companies for information protection

58
by Dr. Raziq Yaqub

29
CRQ2

Pick the most accurate statement

NERC (North American Electric Reliability Corporation)
A. Developed PKI (Public Key Infrastructure)
B. Developed SED (Spare Equipment Database)
C. Developed Security Guidelines and Security Policy for the electric sector
D. All of above

59
by Dr. Raziq Yaqub

CRQ3

Pick the most accurate statement

Security is defined as
A. Protecting Physical Infrastructure, Networks, Hardware and Software
B. Protecting CIPAG (Critical Infrastructure Protection Advisory Group)
C. Protecting NIPC (National Infrastructure Protection Center)
D. Protecting PKI (Public Key Infrastructure)

60
by Dr. Raziq Yaqub

30
CRQ4

Pick the most accurate statement

SCADA Vulnerability Points are
A. Use of Wi-Fi enabled device connecting to SCADA system
B. Insufficiently secure Corporate web server/Gateways
C. Insufficiently secure protocols (e.g. DNP3, IEC 61850)
D. All of above

61
by Dr. Raziq Yaqub

CRQ5

Pick the most accurate statement

Some of the common security attacks are
A. Firewalls, Ingress Filtering, and Encryption
B. Finding a way into the network, or exploiting software bugs and viruses
C. Establishing DMZ (De-Militarized Zones)
D. All of above

62
by Dr. Raziq Yaqub

31
 Answers to CRQ
(Covered-material Review Questions)

63
by Dr. Raziq Yaqub

CRQ1

Pick the most accurate statement

Steps taken by US Government for securing infrastructures include:
A. Establishing of Financial Institutions to research on identity theft
B. Promoting Security as an add an features over all utility networks
C. Devising joint programs, policies, and initiatives, to combat security risks
D. Encouraging Competition among the companies for information protection

C: Devising joint programs, policies, and initiatives, to combat

security risks

64
by Dr. Raziq Yaqub

32
CRQ2

Pick the most accurate statement

NERC (North American Electric Reliability Corporation)
A. Developed PKI (Public Key Infrastructure)
B. Developed SED (Spare Equipment Database)
C. Developed Security Guidelines and Security Policy for the electric sector
D. All of above

D: All of above

65
by Dr. Raziq Yaqub

CRQ3

Pick the most accurate statement

Security is defined as
A. Protecting Physical Infrastructure, Networks, Hardware and Software
B. Protecting CIPAG (Critical Infrastructure Protection Advisory Group)
C. Protecting NIPC (National Infrastructure Protection Center)
D. Protecting PKI (Public Key Infrastructure)

A: Protecting Physical Infrastructure, Networks, Hardware

and Software

66
by Dr. Raziq Yaqub

33
CRQ4

Pick the most accurate statement

SCADA Vulnerability Points are
A. Use of Wi-Fi enabled device connecting to SCADA system
B. Insufficiently secure Corporate web server/Gateways
C. Insufficiently secure protocols (e.g. DNP3, IEC 61850)
D. All of above

D: All of above

67
by Dr. Raziq Yaqub

CRQ5

Pick the most accurate statement

Some of the common security attacks are
A. Firewalls, Ingress Filtering, and Encryption
B. Finding a way into the network, or exploiting software bugs and viruses
C. Establishing DMZ (De-Militarized Zones)
D. All of above

B: Finding a way into the network, or exploiting software

bugs and viruses

68
by Dr. Raziq Yaqub

34
 Home Work No. 03-01

69 of 53
by Dr. Raziq Yaqub

Home Assignment

Submission Assignment
1. What are SCADA Vulnerability points
2. List Common security attacks and the counter measures taken to overcome
these attacks
3. Explain any three of counter measures in detail

70 of 53
by Dr. Raziq Yaqub

35
Knowing is not enough: We must apply
Being willing is not enough: We must do

71 of 53
by Dr. Raziq Yaqub

36