Difference between revisions of "Projects:2017s1-167c Smart Grid Security"
Line 333: | Line 333: | ||
involved in reducing the issues. Additionally, requirement for personnel involved in the AMI | involved in reducing the issues. Additionally, requirement for personnel involved in the AMI | ||
is also necessary and will be discussed. | is also necessary and will be discussed. | ||
+ | |||
+ | === Awareness on cyber security === | ||
+ | The publics knowledge on the importance of cyber security in the AMI is limited. Hence, the | ||
+ | government and organisations involved in smart grid program should educate the public and | ||
+ | promote awareness. If the issues of cyber security in AMI is spread out and known to the | ||
+ | public, additional steps can be taken to reduce the vulnerability of a cyber attack. The public | ||
+ | can take precautions, for example installing a CCTV near a smart meter. Furthermore, the | ||
+ | government should also emphasise on the law on tampering the smart meter. This can | ||
+ | reduce the potential attackers towards the AMI. | ||
+ | |||
+ | Other than raising awareness among the public, it is also important that personnel involved | ||
+ | in the smart grid are familiar with the cyber security issues in AMI. This is because the personnel | ||
+ | are involved in manufacturing, installing and maintaining the AMI and an awareness | ||
+ | on cyber security could improve the overall cyber security in the AMI. Additionally, this can | ||
+ | result in cyber security being prioritise when operating and implementing the smart grid | ||
+ | [24]. | ||
+ | |||
+ | === Personnel training === | ||
+ | To create awareness among personnel as stated in the above section, training programs need | ||
+ | to be introduced. This training program should cover awareness on cyber security issues, | ||
+ | cyber security requirements, and the appropriate actions when a cyber attack occurs [24]. | ||
+ | A utility provider with cyber security in mind could minimise cyber security issues in AMI. | ||
+ | Apart from that, personnel with the appropriate training will know the necessary steps to | ||
+ | take if a cyber attack occurs to avoid further damages. | ||
+ | |||
+ | == Cyber Threats in the AMI == | ||
+ | There are many cyber security loopholes in the AMI as discussed in the above sections. | ||
+ | Hence, attackers will find many ways to exploit the AMI based on those loopholes. Most | ||
+ | of these attacks are mainly to gain financial benefit. Other cases of non-financial benefit | ||
+ | attacks are usually unlikely and not practical to occur but will still be discussed. This | ||
+ | section will cover the different ways an attacker can exploit the AMI and can be categorised | ||
+ | into four groups; tampering on energy usage, billing others, insider threat, attempt burglary | ||
+ | and nation state attack. | ||
+ | |||
+ | === Tampering on energy usage === | ||
+ | |||
+ | One reason for the deployment of the smart grid was to resolve the issue with energy theft. | ||
+ | Although smart meters were able to eliminate the standard ways to steal energy from the | ||
+ | traditional meter, it introduces new hacking methods via the network. With the right tools | ||
+ | and resources, the data in the smart meter can be tampered. There are various approaches | ||
+ | for an attacker to alter the energy usage, they include: administrative access, modifying | ||
+ | smart meter firmware, intercepting the data transmission link. | ||
+ | |||
+ | ==== Administrative access ==== | ||
+ | |||
+ | Similar to the traditional meter, the smart meter stores the total energy consumption used | ||
+ | by the household. This data can be hacked and modified via obtaining the smart meter | ||
+ | password to grant administrative rights. Obtaining the smart meter password does not | ||
+ | require much work for the attackers as once the smart meter is physically tampered, a | ||
+ | device for monitoring is able to capture the passwords [13]. These passwords according to | ||
+ | McLaughlin et al. is transmitted into the open without much security protection. | ||
+ | |||
+ | Once the attacker gained administrative rights on the smart meters, they are able to modify | ||
+ | the total energy consumption data which then affects the electric bill. This allows the | ||
+ | attacker to use more energy than they are actually paying. Additionally, with the administrative | ||
+ | rights, attackers can also alter the audit logs stored in the smart meter. Audit logs | ||
+ | are a record of timestamps when the smart meter is being accessed via administrative rights. | ||
+ | Modifying audit logs need to be done in conjunction with total energy consumption data as | ||
+ | it erases evidence on tampering. | ||
+ | |||
+ | ==== Modifying smart meter firmware ==== | ||
+ | Modifying the total energy consumption data using administrative access only provides a | ||
+ | limited control over the smart meter. Hence, some attackers would choose to reverse engineer | ||
+ | the firmware on the smart meter directly instead. When the smart meters firmware is | ||
+ | modified, the attacker has full access on tariffs for Time of Use (TOU) pricing, event logs, | ||
+ | received and executed commands [6, 13]. The smart meter can then be reprogramed to | ||
+ | report fake data. | ||
+ | |||
+ | ==== Intercepting the data transmission link ==== | ||
+ | Apart from tampering on the energy usage at the smart meter end, the introduction of AMI | ||
+ | also enables attackers to attack during the transmission of data from the consumers smart | ||
+ | meter to the utility provider. When the data is being transmitted, it passes through several | ||
+ | nodes, these nodes can then be targeted by the attackers if the security protocols are weak. | ||
+ | The attackers can inject their own data into the transmitting data when it passes a node. | ||
+ | |||
+ | Before injecting false data into the network, the attackers need to first intercept the communication | ||
+ | which is on the backhaul link. Attackers can tap a line near the first backhaul | ||
+ | link [13]. Once this is done, the attackers are ready to inject false data by removing the | ||
+ | original data being transmitted. However, as the AMI contains encryption in the network, | ||
+ | the attackers are required to retrieve the encryption key which can be found in the smart | ||
+ | meter. Instead of the smart meter accepting the data from the utility provider, the attackers | ||
+ | can now accept via their devices and send false data. This leads to an attack technique called | ||
+ | spoofing or masquerade as discussed previously. Additionally, attackers can attack when the | ||
+ | utility provider and smart meter has already connected. This involves a man-in-the-middle | ||
+ | attack at the node. | ||
+ | |||
+ | |||
+ | === Billing others === | ||
+ | Another method to steal energy is to bill the electricity to others instead. In order to do | ||
+ | this, the attacker would first need to select a target (most often the targets have to be living | ||
+ | nearby). After selecting a target, the attackers will hack into the targets smart meter to | ||
+ | obtain identity information for example the meter IP. The attacker will then modify the data | ||
+ | of their own smart meter to the targets meter IP. The attacker can also modify the targets | ||
+ | smart meter to avoid the utility provider from detecting duplicate meters. This is often | ||
+ | used by organised crime who are dealing with illegal businesses such as marijuana/cannabis | ||
+ | farming. To maintain these farms, a large amount of electricity usage is needed, hence the | ||
+ | attackers will resort to stealing energy to increase business revenue. | ||
+ | |||
+ | Besides billing others for financial gain, attackers can tamper the smart meter of a specific | ||
+ | household so that the target household gets billed higher than their energy usage. For | ||
+ | example, the target will get charged twice the cost per kWh. The attackers usually has no | ||
+ | real motives other than to cause disturbance or for revenge. | ||
+ | |||
+ | |||
+ | === Insider threat === | ||
+ | The AMI system can also be exploited from within the utility provider. This can be a | ||
+ | problem as it is not easy to detect abnormality within the utility. Insiders can either work | ||
+ | for their own financial benefit or can be planted by the power generation provider. These | ||
+ | insiders can either modify the pricing or the peak usage in the AMI system. | ||
+ | |||
+ | ==== Pricing modification ==== | ||
+ | An insider can modify the system at the AMI head end or the consumers end so that the | ||
+ | pricing of electricity can then be altered to suit them. The insider can reduce the price | ||
+ | of the electricity in an area (most likely the place the insider resides) so that the insiders | ||
+ | electricity bill will be lower than the usual price. Furthermore, the insider will also increase | ||
+ | the price of the electricity in another area to balance out the utilitys revenue to avoid any | ||
+ | suspicion. This pricing modification by the insider can be done either via administrative | ||
+ | access or physical hacking access. | ||
+ | |||
+ | Administrative access is usually done by insiders who are working in that particular department, | ||
+ | in this case, the department which is involved in getting pricing information. They | ||
+ | can then alter the price virtually without having to physically access the AMI head end | ||
+ | system [12]. Physical hacking access on the other hand requires an insider who has a decent | ||
+ | level of hacking and knowledge of the protocols involved. This is essential because they do | ||
+ | not have administrative access and would need to bypass certain security measures. | ||
+ | |||
+ | ==== Peak usage modification ==== | ||
+ | The insider can also modify peak usage to gain financial benefit for the organization the | ||
+ | insider is working for. Modifying peak usage is useful for power generation providers because | ||
+ | the insider can increase the peak usage and price to produce a false electricity demand | ||
+ | information. When the utility provider noticed that the demand for electricity increased | ||
+ | they will then require to buy more electricity from the power generation provider. This could | ||
+ | cause the utility provider to lose revenue and the power generation provider to increase in | ||
+ | revenue. The possible scenario for this to happen can be when a power generation provider | ||
+ | offers money to a personnel who desperately needs financial help to modify the data. The | ||
+ | methods to modify peak usage is similar to modifying pricing [12]. | ||
+ | |||
+ | === Attempt burglary === | ||
+ | Apart from energy theft, attackers can make money by exploiting the AMI to gain information | ||
+ | on a target so that they can attempt a burglary. As mentioned previously, the data | ||
+ | obtained by a smart meter specifically the energy consumption data can be used to monitor | ||
+ | or spy on a particular household. The information once hacked tells the attacker if there is | ||
+ | anyone home at that time. It can also be plotted on to a graph and analysed to learn about | ||
+ | the household’s daily routine or show if the household is on vacation. | ||
+ | The target chosen has to be someone who is wealthy as the effort put into this method for | ||
+ | attempting burglary may not be the most efficient. One way to be able to identify a wealthy | ||
+ | household as oppose to a not so wealthy household is to also monitor the energy consumption | ||
+ | data. If a particular household uses more energy than an average household, means that | ||
+ | money is not an issue for that household. Moreover, the graph also shows the number of | ||
+ | appliances available in that household. Different peaks of the graph show different types of | ||
+ | appliances. All of this can be done by just obtaining the energy consumption data. | ||
+ | |||
+ | === Nation state attack === | ||
+ | The AMI can also be exploited by large criminal enterprises whose goal may not just be the | ||
+ | AMI system but to cause harm or disturbance to the surrounding. These organisations could | ||
+ | plan to cause a disturbance in the power grid so that their final motives could succeed. The | ||
+ | terrorist can hack via the consumers end and slowly work their way up to the AMI head end | ||
+ | by hacking wireless communication links [12]. Furthermore, the terrorists can also exploit | ||
+ | the weak security for AMI connectivity. The motives of this terrorists could be broken down | ||
+ | into two groups; terror attack and manipulating the society. | ||
+ | |||
+ | ==== Terror attack ==== | ||
+ | Terrorists can target the power generation through the AMI system to cause a blackout so | ||
+ | that their planned bombings could take place. The AMI system allows the utility provider | ||
+ | to switch off any flow of electricity to a household if the electric bill is overdue. This feature | ||
+ | also known as disconnect commands can be taken advantage by the terrorists where once | ||
+ | hacked into the AMI head end, they can send an off command to any large area. Once a | ||
+ | blackout occurs and the terrorist attack, the emergency response could be slow. The police and fire department along with the ambulance would be busy dealing with the blackout and | ||
+ | could have a shortage of emergency forces to respond to an attack later. | ||
+ | |||
+ | ==== Manipulating the society ==== | ||
+ | An attack which involves manipulating the society may not seem reliable but the effects | ||
+ | of it could cause emotional distress, behaviour changes and internal conflicts between the | ||
+ | public and the government. The AMI system can be hacked by the terrorist and can modify | ||
+ | the billing information of the consumers. This can cause economic issues among the public | ||
+ | whereby the poor get poorer and people working in the electricity field get richer. When | ||
+ | the public are pressured by issues regarding financial and economic instability, they tend to | ||
+ | blame it on the government, and when the government does not appeal to the public, protest | ||
+ | or even civil unrest could occur. This gives the attacker control on the lives of the society | ||
+ | and must be prevented. Furthermore, the attacker can use this as a political tool to shift | ||
+ | the tide to favour a political party during an election campaign for example. | ||
+ | |||
+ | == Recommendations == | ||
+ | This section aims to introduce a few important recommendations that could help mitigate | ||
+ | the cyber security issues present in the AMI system and to reduce the practicality of exploiting | ||
+ | the AMI system. Based on the practicality and severity analysis of the exploits, it is | ||
+ | important to first address and provide recommendations to the issue which has the highest | ||
+ | average of both practicality and severity. | ||
+ | |||
+ | === Recommendations for tampering attacks === | ||
+ | Tampering issues need to be addressed first because it is the base of all other threats hence, | ||
+ | solving tamper issues can slow down and mitigate other cyber threats in the AMI. It is crucial | ||
+ | for the public and personnel to be aware and fully understand the vulnerability of the AMI | ||
+ | system. Creating awareness is the first step towards mitigating cyber security threats. The | ||
+ | public and personnel need to be properly educated so that necessary precautions can be | ||
+ | taken. For example, an educated consumer will notice any abnormality when monitoring | ||
+ | their energy usage and will report it to the utility provider for investigation. Similarly, a welleducated | ||
+ | personnel will understand the importance of cyber security and knows which part | ||
+ | of the AMI system needs attention so that necessary security protocols can be implemented | ||
+ | or strengthen. | ||
+ | |||
+ | For petty thefts and small groups of attackers, their main target would be the smart meter. | ||
+ | Hence, enforcing the security at the smart meter would be the first priority. There are several | ||
+ | recommendations to lower the threat level for tampering, one way is to strengthen the password | ||
+ | which is used to access the smart meter. However, the password can also be obtained | ||
+ | via monitoring the open as mentioned previously. Thus, proper security protection on the | ||
+ | password is essential. Furthermore, although modifying the firmware of the smart meter | ||
+ | requires a certain amount of expertise from the attacker, if the attacker is able to tamper | ||
+ | with the firmware, the results could be severe. Thus, it is recommended to design lockable | ||
+ | microcontrollers to prevent reinstallation of the firmware [11]. It is also recommended to | ||
+ | encrypt the firmware in the smart meter. | ||
+ | |||
+ | The AMI communication network contains many nodes which when hacked can be used to | ||
+ | connect all other nodes, hence, all the nodes should be encrypted. Although encrypting | ||
+ | every node of the AMI network may seem sufficient, a stronger encryption is also needed to | ||
+ | avoid unnecessary cyber security threat. Stronger encryption would slow down the hacking | ||
+ | process of the attacker. The AMI network functions by constantly having to send and | ||
+ | receive signals thus attackers can take advantage of this feature. One way to discourage | ||
+ | attackers from launching a man-in-the-middle attack is to have all signals authenticated regardless of whether the signal is coming from the consumer or going out of the utility | ||
+ | provider. To reinforce this method, the authentication can be made stronger for example, | ||
+ | more complicated passwords or even biometrics. | ||
+ | |||
+ | Despite all the enforcing of the security protocols, not all utility provider would follow the | ||
+ | same level of security measures, hence it is essential to have certain standards introduced. | ||
+ | For example, a standard on having a stronger security protocol could help the AMI system | ||
+ | mitigate small threats. These standards ensure that the AMI system has a minimum level of | ||
+ | cyber security measures. However, a problem arises because the standards need to satisfy all | ||
+ | the relevant stakeholders. This means that the stakeholders need to agree upon a common | ||
+ | protocol and the level of cyber security. It is not as straightforward as it is for all the | ||
+ | stakeholders to come to terms, as each stakeholder has a different view and requirement on | ||
+ | the issue and only look to benefit themselves. | ||
+ | |||
+ | Additionally, legislations are important as it forces the implementers to take necessary cyber | ||
+ | security precautions when designing the AMI system. These standards can then be implemented | ||
+ | in one of the legislations to make it mandatory for the AMI system. Legislations | ||
+ | can be used to solve the problem regarding different stakeholders requirement. When the | ||
+ | government is more involved in regulating the cyber security in AMI, it forces all other | ||
+ | stakeholders to take the same cyber security precautions. | ||
+ | |||
+ | === Recommendations for insider attacks === | ||
+ | Utility provider who take insider attacks for granted could face serious financial consequences. | ||
+ | To prevent this, it is essential to create a certain level of awareness within the utility provider. | ||
+ | The awareness could include educating personnel regarding insider threats and to mention | ||
+ | the possibility of one to occur. Most of the problem with insider threats are that when | ||
+ | the issue has finally been found, it is already too late. Thus, when personnel are aware | ||
+ | of such threats, any suspicious activity or mismatch pricing information will be reported | ||
+ | immediately. | ||
+ | Moreover, the utility provider could perform frequent audit check ups or software integrity | ||
+ | testing on the system. This allows, any modified data internally to be detected and actions | ||
+ | can be taken. In addition to audit check ups, engineers at the AMI head end should also carry | ||
+ | out regular cyber security tests to keep the cyber security protocols up to date. As the AMI | ||
+ | system is constantly evolving, new technologies will be integrated, and the cyber security will | ||
+ | contain more loopholes and susceptible to attacks. These tests can help address this issue | ||
+ | because when the engineer runs the security tests on the system and it does not perform | ||
+ | well, it will then be notified so that a better cyber security protocol can be implemented. | ||
+ | Similar to the recommendation for tampering issue, the commands present in the utility provider needs to be authenticated and with a stronger authentication. Insiders can issue | ||
+ | their own commands when they have gotten in to the communication network of the AMI | ||
+ | system. By authenticating the commands, the insider would require bypassing the authentication | ||
+ | which means it is less efficient to hack. | ||
+ | |||
+ | === Recommendations for billing others and burglary === | ||
+ | The cyber-attack of billing others and burglary involved in first obtaining the information | ||
+ | of the consumer. Hence as mentioned previously, one recommendation is to anonymise the | ||
+ | data of the consumer. When the consumers information is anonymous, it is harder for the | ||
+ | hacker to track back the information hacked from the network to the original consumer. For | ||
+ | the case of billing others, extra recommendations are required and are similar to tampering | ||
+ | which is enforcing the security protocols at the smart meter and at the nodes throughout | ||
+ | the network. Additionally, the meter IP of each household should also not be exposed to | ||
+ | the open. | ||
+ | |||
+ | === Recommendations for nation state attack === | ||
+ | Nation state attack is probably the hardest threat to mitigate given the commitment and | ||
+ | resources of the attacker. Nevertheless, there are a few recommendations to slow down such | ||
+ | attacks or reduce the practicality of the attack so that the AMI system is a less tempting target. | ||
+ | The utility provider could implement firewalls within the AMI network to help prevent | ||
+ | the attackers from using consumer end to attack. A combination of the recommendations | ||
+ | mentioned above and the recommendations here will be able to mitigate if not slow down a | ||
+ | terrorist attack from occurring. | ||
+ | |||
+ | The nation state attack which involved manipulating of behaviour can be mitigated with | ||
+ | awareness similar to the recommendation in tampering attacks. Educating the public and | ||
+ | personnel on the possibility of such an attack would not only make the public more vigilant, | ||
+ | but actions can be taken if such an event occurs. | ||
+ | |||
+ | == Conclusions == | ||
+ | |||
+ | The current standard grid is slowly reaching its lifetime with many problems including | ||
+ | blackouts, this calls for a need to transition into a smart grid. South Australia which is | ||
+ | currently facing with energy crisis is an example which could benefit from a smart grid. The | ||
+ | purpose of this research project is to identify the cyber security issues present in the AMI, | ||
+ | determine the requirements to reduce the cyber security issues, analyse the impact of the | ||
+ | issues on the AMI, and to provide recommendations to the cyber threats. | ||
+ | The introduction of communication networks within the AMI architecture has caused several | ||
+ | cyber security issues. These cyber security issues are first identified and explained so that a | ||
+ | list of possible attacks on the AMI can be determined. Each cyber security issue is associated | ||
+ | with a type of attacker. It is essential to address the types of attacker so that necessary | ||
+ | precautions can be taken towards them. | ||
+ | |||
+ | The cyber security issues can be minimised to an extent by following certain requirements. | ||
+ | The regulatory requirements are essential in keeping the design of cyber security in the | ||
+ | AMI up to date and works in conjunction with standards. Additionally, cyber security | ||
+ | requirements can be used when implementing new security measures to minimise cyber | ||
+ | security issues. It allows cyber security issues to be grouped up in to specific category | ||
+ | of security requirements so that design engineers can easily implement security measures. | ||
+ | Educating the public and personnel is one requirement not to be overlooked as the effect | ||
+ | of such requirement can greatly impact the AMI system. It helps provide awareness among | ||
+ | the public and personnel so that necessary precautions can be taken before the need for it | ||
+ | arises. | ||
+ | |||
+ | This research explores the consequences of cyber security issues which is the exploitation | ||
+ | of the AMI. There are many cyber threats that could or could not occur depending on the | ||
+ | practicality of the attacks which will be analysed and given a grade. The AMI is particularly | ||
+ | vulnerable to tampering attacks and insider threat while billing others and burglary are less | ||
+ | likely to occur. The possibility for a nation state attack to occur on the other hand varies | ||
+ | depending on the situation and motives of the attacker. However, it should not be taken | ||
+ | lightly as the impact on a nation state attack is severe. | ||
+ | |||
+ | Several recommendations have been made in order to reduce the cyber threats and to ensure | ||
+ | the AMI is less vulnerable to cyber attacks. It is mentioned that tampering attacks represent | ||
+ | the base of all other threats, hence a proper mitigation method for tampering attacks can | ||
+ | be used as a reference point to implement other recommendations. It is crucial to address | ||
+ | the cyber security issues present in the AMI at an early stage of the design process as the | ||
+ | consequences of a cyber attack is not to be taken lightly. As for existing AMI infrastructures, | ||
+ | this project can help create certain awareness so that the necessary precautions can be taken. | ||
+ | |||
+ | As the concept of a smart grid is still fairly new to many countries, this research project | ||
+ | can also shed some light on the cyber security issues in AMI. This project hopes to provide | ||
+ | engineers and personnel a general reference and guide when implementing cyber security of | ||
+ | an AMI system. | ||
+ | |||
+ | == Reference == | ||
+ | [1] J. Liu, Y. Xiao, S. Li, W. Liang and C. Chen, “Cyber Security and Privacy Issues in | ||
+ | Smart Grids,” in IEEE Communications Surveys & Tutorials, vol. 14, no. 4, Fourth | ||
+ | Quarter 2012. | ||
+ | [2] F. M. Cleveland, “Cyber Security Issues for Advanced Metering Infrastructure (AMI),” | ||
+ | Proceedings of the IEEE Power and Energy Society General Meeting: Conversion and | ||
+ | Delivery of Electrical Energy in the 21st Century, pp. 15, 2008 | ||
+ | [3] N.Liu, J.Chen, L.Zhu, J.Zhang and Y.He, “A Key Management Scheme for Secure Communications | ||
+ | of Advanced Metering Infrastructure in Smart Grid,” in IEEE Transactions | ||
+ | on Industrial Electronics, vol. 60, no. 10, October 2013. | ||
+ | [4] R. Berthier, W. H. Sanders and H. Khurana, “Intrusion Detection for Advanced Metering | ||
+ | Infrastructures: Requirements and Architectural Directions,” 2010 First IEEE | ||
+ | International Conference on Smart Grid Communications, Gaithersburg, MD, 2010, pp. | ||
+ | 350-355. | ||
+ | [5] Y.Yan, Y.Qian and H.Sharif, “A Secure and Reliable In-network Collaborative Communication | ||
+ | Scheme for Advanced Metering Infrastructure in Smart Grid,” in IEEE WCNC | ||
+ | 2011. | ||
+ | [6] R. R. Mohassel, A. S. Fung, F. Mohammadi and K. Raahemifar, “A survey on advanced | ||
+ | metering infrastructure and its application in Smart Grids,” in IEEE 27th Canadian | ||
+ | Conference on Electrical and Computer Engineering (CCECE), Toronto, ON, 2014, pp. | ||
+ | 1-8. | ||
+ | [7] N. Saputro and K. Akkaya, “On preserving user privacy in Smart Grid advanced metering | ||
+ | infrastructure applications,” Security and Communication Networks, vol. 7, no. | ||
+ | 1, pp. 206-220, 2013. | ||
+ | [8] P. Deng and L. Yang, “A secure and privacy-preserving communication scheme for Advanced | ||
+ | Metering Infrastructure,” 2012 IEEE PES Innovative Smart Grid Technologies | ||
+ | (ISGT), Washington, DC, 2012, pp. 1-5 | ||
+ | [9] R. Berthier, W. H. Sanders and H. Khurana, “Intrusion Detection for Advanced Metering | ||
+ | Infrastructures: Requirements and Architectural Directions,” 2010 First IEEE | ||
+ | International Conference on Smart Grid Communications, Gaithersburg, MD, 2010, pp. | ||
+ | 350-355. | ||
+ | [10] R. Shein, “Security Measures for Advanced Metering Infrastructure Components,” 2010 | ||
+ | Asia-Pacific Power and Energy Engineering Conference, Chengdu, 2010, pp. 1-3. | ||
+ | [11] K. Adak, J. Mohamed and S. H. Darapuneni, “Advanced Metering Infrastructure Security,” | ||
+ | A Capstone Paper, University of Colorado, Boulder, 2010. | ||
+ | [12] R. C. Parks, “Advanced Metering Infrastructure Security Considerations,” Sandia Report, | ||
+ | Sandia National Laboratories, 2007 | ||
+ | [13] S. McLaughlin, D. Podkuiko, and P. McDaniel, “Energy theft in the advanced metering | ||
+ | infrastructure,” in Proc. the 4th International Conference on Critical Information | ||
+ | Infrastructures Security, Springer, 2010, pp. 176-187 | ||
+ | [14] R. Jiang, R. Lu, Y. Wang, J. Luo, C. Shen and X. S. Shen, “Energy-theft detection | ||
+ | issues for advanced metering infrastructure in smart grid,” in Tsinghua Science and | ||
+ | Technology, vol. 19, no. 2, pp. 105-120, April 2014. | ||
+ | [15] Y. Mo, T. Kim, K. Brancik, D. Dickinson, H. Lee, A. Perrig and B. Sinopoli, “CyberPhysical | ||
+ | Security of a Smart Grid Infrastructure,” in Proceedings of the IEEE, vol. 100, | ||
+ | no. 1, pp. 195-209, Jan. 2012. | ||
+ | [16] S. Asri and B. Pranggono, “Impact of Distributed Denial-of-Service Attack on Advanced | ||
+ | Metering Infrastructure,” Wireless Personal Communications, vol. 83, no. 3, pp. 2211- | ||
+ | 2223, 2015. | ||
+ | [17] P. Yi, T. Zhu, Q. Zhang, Y. Wu and L. Pan, “Puppet attack: A denial of service | ||
+ | attack in advanced metering infrastructure network,” Journal of Network and Computer | ||
+ | Applications, vol. 59, pp. 325-332, 2016. | ||
+ | [18] K. Curtis, in Speech to Thinkfuture Smart Infrastructure Conference 2010 on smart | ||
+ | infrastructure and privacy, Parliament House, Canberra, 2010. | ||
+ | [19] U.S. Department of Energy, “Smart Grid Legislative and Regulatory Policies and Case | ||
+ | Studies”, U.S. Energy Information Administration, Washington, D.C., 2011. | ||
+ | [20] “Australian Privacy Principles— Office of the Australian Information Commissioner | ||
+ | - OAIC”, Oaic.gov.au, 2017. [Online]. Available: https://www.oaic.gov.au/privacylaw/privacy-act/australian-privacy-principles. | ||
+ | [Accessed: 10- Sep- 2017]. | ||
+ | [21] Australian Privacy Principles, fact sheet 17. Australia: Office of the Australian Information | ||
+ | Commissioner, 2014. | ||
+ | [22] Australian Privacy Principles - a summary for APP entities. Australia: Office of the | ||
+ | Australian Information Commissioner, 2014. | ||
+ | [23] J. Lazar and M. McKenzie, “Australian Standards for Smart Grids Standards | ||
+ | Roadmap”, Standards Australia, pp. 1-36, 2012. | ||
+ | [24] E. Egozcue, D. Rodrguez, J. Ortiz, V. Villar and L. Tarrafeta, “Smart Grid Security”, | ||
+ | European Network and Information Security Agency, 2012. | ||
+ | [25] “Stop Smart Meters Australia”, Stop Smart Meters Australia, 2017. [Online]. Available: | ||
+ | https://stopsmartmeters.com.au/. [Accessed: 29- Sep- 2017]. | ||
+ | [26] “Cyber Security — Energy Networks Australia”, Energynetworks.com.au, 2017. [Online]. | ||
+ | Available: http://www.energynetworks.com.au/cyber-security. [Accessed: 18- | ||
+ | Sep- 2017]. | ||
+ | [27] B. Murrill, E. Liu and R. Thompson II, “Smart Meter Data: Privacy and Cybersecurity”, | ||
+ | Congressional Research Service, 2012. | ||
+ | [28] “Smart Meters - Advanced Metering Infrastructure Cost Benefit | ||
+ | Analysis”, Smartmeters.vic.gov.au, 2017. [Online]. Available: | ||
+ | http://www.smartmeters.vic.gov.au/about-smart-meters/reports-andconsultations/advanced-metering-infrastructure-cost-benefit-analysis. | ||
+ | [Accessed: | ||
+ | 29- Sep- 2017]. | ||
+ | [29] C.King, “Advanced Metering Infrastructure (AMI), Overview of System Features and | ||
+ | Capabilities”, 2004 |
Latest revision as of 23:54, 28 October 2017
Contents
- 1 Project Team
- 2 Supervisor
- 3 Introduction
- 4 Motivation
- 5 Purpose of the project
- 6 Background
- 7 Cyber Security Issues
- 8 Regulatory Requirements
- 9 Cyber Security Requirements
- 10 Human Factor Requirements
- 11 Cyber Threats in the AMI
- 12 Recommendations
- 13 Conclusions
- 14 Reference
Project Team
Juin Hao Yau
Supervisor
Dr Matthew Sorell
Introduction
As our technology advances forward at a rapid rate, the current power grid use today has not been significantly modified or improved. The current power grid is not reliable and has been causing blackouts, voltage sags and other numerous problems over the years. A similar but better electric grid called smart grids are replacing the standard electric infrastructure but at a very slow pace. What differs from a smart grid and the standard electric grid is that a smart grid is more reliable, manageable, scalable, cost efficient and has two-way communication between the utility operator and the consumer.
A smart grid consists of different entities connected by multiple systems. Advanced metering infrastructure (AMI) is a system component within the smart grid which connects smart meters from the consumers to the operators and vice versa. However, smart grids are vulnerable to cyber security attacks because of its large use of communication technology. This cyber security issues are also present in the AMI. If the cyber security issues are not addressed well, it could cause the AMI to be vulnerable to cyber threats and have serious consequences. AMI system plays an important role in the smart grid and with its weak cyber security protocols, it naturally becomes attackers first target. This research will cover the issues of cyber security in AMI, determine the requirements to mitigate the issues, discuss about the cyber threats resulting from the issues and to finally draw a conclusion by giving recommendations.
Motivation
South Australia has been recently facing with energy crisis. Approximately 50% of South Australias energy comes from gas, 45% from wind energy and the remaining from solar, diesel and brown coal from Victoria. Wind energy has been proved to be not very reliable during the blackout on September 2016 and due to the closure of a few coal plants in Victoria, the demand for gas energy increases. One solution proposed was to use battery storage as a short-term fix. However, the upfront cost for battery storage is too expensive and is not as efficient compared to other methods.
A long-term solution for the energy crisis is to convert the traditional standard grid into a smart grid. By doing so, the operators and consumers are able to communicate with each other and control the energy flow during high demand. AMI plays an important role in assisting the smart grid to connect the operators and consumers. Other than that, a smart grid can recover from a blackout by rerouting another transmission line.
Furthermore, smart grids can help reduce energy cost for the consumers as the smart meters installed at the end user allows the consumer to monitor energy prices in near real time. With the AMI implemented, the utility provider no longer needs to send out the meter man to measure the energy usage once every few months, instead they can bill the consumers directly and more efficiently. For the utility provider, this saves cost on fuel for sending out a meter man, and for the consumer, they no longer need to worry about estimated billing when the meter man has no access to the meter.
Purpose of the project
The purpose of this project is to carry out an extensive research, discuss and provide an overall view on the Cyber Security Issues in AMI and can then be used as a general reference for future work. The aim is to first identify the current issues and causes from past research, discuss about the issues, list out the regulatory requirements and the cyber security requirements. This research will also include ways an attacker can exploit the AMI and the recommended resolutions.
Background
What is a Smart Grid?
Over the years the term smart grid has went through numerous changes, but in general it is used to describe power grids with enhanced communication and sensing system which improves the overall reliability. According to Liu et al. a smart grid is capable of analysing power usage information in real time [1]. What makes a smart grid more reliable than the standard power grid is that any outage in an area due to bad weather can be automatically rerouted from another working distribution line. This feature is called distribution intelligence. A smart grid is also capable of integrating different energy sources. This allows renewable and non-renewable energy to work well together.
One important feature of a smart grid is the two-way communication between the consumer and the operator unlike the standard grid which only flows one way. What this means is that electricity is not only flowing from the operator to the consumer but information from the consumer is also flowing back to the operator. This two-way communication allows the operator to adjust the energy according to the consumer needs.
What is Advanced Metering Infrastructure (AMI)?
AMI is one of the major system within the smart grid which is used to connect the consumer and the operator with a two way communication link. Its main purpose is to measure, collect and analyse power usage data of consumers. The AMI is composed of different technologies such as smart meters, Meter Data Management System (MDMS) and consumers area network (HAN). Through AMI, operators are able to obtain electricity price in real time while the consumers will be able to have control on their power usage and are able to see real-time electricity prices [1].
What is a Smart Meter?
A Smart Meter is an electronic meter installed at the consumer’s end which is able to monitor and collect energy information of the consumer and then send it to the operator periodically, around every 30 minutes or less. Different from a electromechanical meter a smart meter contains bi-directional communication between the consumer and the utility provider which sends usage information back to the utility. The smart meter is a main component in the AMI.
What is Home Area Network (HAN)?
The HAN works as a network to connect the consumers appliances together. Such appliances include, computers, smart televisions, lights, security systems, etc. This allows the appliances to communicate with each other.
What is Meter Data Management System (MDMS)?
The Meter Data Management System is located and integrated at the consumer end. Information and data obtained from the consumer via smart meters are stored and managed in the MDMS software. It also provides report statistics and validation.
Cyber Security Issues
This introduction of the communication technology to the architecture caused cyber security vulnerabilities in the AMI. Hence this section aims to address cyber security issues in AMI from previous research.
Privacy Issues
There are many concerns on privacy with the installation of a smart meter. If the AMI was to be attacked or hacked, two main issues of privacy can occur; real time spying and burglary, and identity theft [16].
Real time spying and burglary
According to Mohassel et al., the smart meter is able to collect energy consumption data in a shorter interval of around 20 mins average compared to the traditional meter which is only done during the billing period. These shorter readings from the smart meter can then be used to generate a profile of the consumer which for example can include number of occupant and type of alarm system [6, 10]. This is backed up by Saputro and Akkaya where they mentioned that from the amount of information the Smart Meter obtains, it can show more than just the power usage of the consumer. The energy consumption information can show if the consumer is at home or not by load monitoring.
Moreover, the operating time of an appliance can also be determined from the smart meter. Additionally, if the energy consumption data is analysed over a period, a detailed graph can be produced [7].
Attackers are able to know what appliances were used on what specific time of the day and the consumers daily routine can then be figured out. The graph can be use as a surveillance on the consumer and can even be use to coordinate a burglary. A burglar can know when to attack based on the graph, for example, the graph will have no spike if the occupant went for a holiday. Other than that, this information can now be obtained remotely without the need to be present at the target’s property.
Identity theft
Identity theft is an issue whereby the attacker uses the consumer’s identity to gain benefit financially. A smart meter obtains more than just the energy consumption information from a consumer compared to the traditional meter. The list of personal information obtained by the smart meter and stored in the grid according to Liu et al. is as follows: consumers name, phone number, home address, transaction history, meter reading, HAN, meter IP and service provider [1]. This can cause serious privacy issues if the data in the Smart Meter falls into the wrong hands.
Based on Saputro and Akkaya there are two ways an attacker can obtain the energy consumption information. Firstly, an attack can occur when transmitting the data from the consumer to the utility. Secondly, it can either be done at the utility site or the consumer site where the smart meter is present [7]. Privacy issue may not be a serious problem for some people but a surprisingly large amount of people are concern on privacy which has led to activist being formed to stop the installation of smart meters. To ensure that the public are comfortable with smart meters and trust the utility, the data in the smart meter needs to be protected via cyber security measures [8].
Denial-of-Service issues
Another form of threat which is fairly common is a Denial-of-Service attack. Based on Mo et al. a DoS attack is when the attackers send false request to the network to cause a disruption or to temporarily make the service unavailable [15]. A successful DoS attack can cause an issue at the consumer site. From Cleveland, the consumer can get delayed pricing information on their smart meters which can cause financial problems [2]. Another major problem from a DoS attack is when there is an outage in an area, the grid is unable to restore power to it on time via the AMI [2].
Based on Asri and Pranggono there are three ways of executing a DoS attack, flooding attacks, vulnerability attacks and a new way of attack called puppet attack introduced by Yi et al. [16, 17]. Flooding attack is a form of Distributed Denial-of-Service attack (DDoS) where the attacker sends several SYN packet to an invalid address an causes an error in the system [16]. Vulnerability attacks are done by exploiting exposed software at the target which result in overuse of the CPU memory. Puppet attack on the other hand is similar to the flooding attack, however puppet attacks are less likely to be detected [17].
Unauthorized access and modification issues
Another major threat in the AMI is when attackers issue their own commands into the AMI or modify it. The types of different attacks can be classified into five different threats; masquerade, firmware modification, buffer overflow, man-in-the-middle attack, and energy theft.
Masquerade
From previous research, masquerade is shown as a threat where attackers impersonate the control centre at the AMI headend [11]. As mentioned by Parks, the attackers can issue a shutdown on multiple Smart Meters causing a high power without demand from the power company. The power company will then lower the power and when the smart meters are 15 turned back on, the lack of power can cause a blackout [12]. Masquerade can be done through authentication bypass. Another possible masquerade threat is at the consumers site where the attackers can send false alarms from multiple smart meters to the control centre. The result of this is the control centre will send maintenance team to those smart meters and can cause performance and delay issues [11].
Other than small threats, masquerade can be used as a large-scale attack and can cause havoc nationwide as mentioned by Parks [12]. An example of a large-scale attack is terrorist can cause power instability or blackout during their own bombing attack.
Firmware modification
A threat also mentioned in the research of Adak et al. is firmware modification. This threat is a major concern because attackers can modify the firmware remotely and once modified, the AMI meter can function however the attacker wants. Although modifying the firmware of the AMI is not an easy task and requires a certain amount of expertise, it should not be taken lightly as it can have serious consequences [11].
Firmware modification
A threat also mentioned in the research of Adak et al. is firmware modification. This threat is a major concern because attackers can modify the firmware remotely and once modified, the AMI meter can function however the attacker wants. Although modifying the firmware of the AMI is not an easy task and requires a certain amount of expertise, it should not be taken lightly as it can have serious consequences [11].
Buffer overflow
According to Adak et al., buffer overflow is a very common type of attack these days. As the name implies, the attacker can overflow the buffer in the AMI meter and can cause damage to the data within the AMI or leak them [11]. The memory addresses gets modified during a buffer attack which can cause system freeze.
Man-in-the-middle Attack
Man-in-the-middle attack is also a common cyber threat towards the AMI. This can be done during the transmitting of data over the network. The attackers can implant false information in the network from any node. The backhaul link is one way where the attackers can interfere and also obtain the cryptographic key. [6] A few consequences of a man-in-the-middle attack based on Liu et al. are modification of the billing data, financial loss, equipment damage and human risks.
Energy theft
Lastly, energy theft has always been around since the first standard grids are introduced and are still present in Smart Grids. According to McLaughlin et al. there are 2 types of attackers; consumers and organized crime [13]. Customers are the main attackers to try and steal energy via tampering the meter. Stealing energy by tampering the smart meter is harder compared to the traditional meter, however due to the advancement of AMI, ways on how to steal energy from smart meters can be easily obtained online [14]. Organized crime is another culprit of energy theft. As mentioned by McLaughlin, these organizations are professional hackers who take advantage of the AMI system to steal large amount of energy [13].
Regulatory Requirements
The cyber security issues in the AMI can be minimised by introducing regulatory requirements and/or legislations which creates certain restrictions on the AMI for example the handling of consumer’s data [18]. This section covers the current regulatory requirements used in the AMI system and will also include suggested new laws to improve the cyber security of the AMI.
Policy for privacy
A smart meter records the energy consumption of the consumer every 30 minutes or less. Hence, the information obtained by a smart meter can be very detailed and can show the lifestyle of the consumer. There are rising privacy concerns among the consumers if the information happens to fall onto the wrong hands or misused by the utility provider. Privacy is a major issue which directly involves the consumer and hence need to be enforced. Based on Australian law, the federal privacy act 1988 ensures that the consumer’s information (name, signature, address, bank details, telephone number and date of birth) is protected. This applies to the AMI system for example, when the smart meter collects the consumer’s personal information, the utility provider is not allowed to share it to other third parties without having the consent from the consumer. Other than that, the utility provider will always ensure that the third party complies with the federal privacy act when the third party request to obtain the consumer’s information.
Moreover, the utility provider need to ensure the authenticity of the obtained consumer’s personal information by ensuring the consumer updates their information regularly. On the other hand, the information collected from the smart meter and kept by the utility provider must be protected from unauthorised access. Another requirement to strengthen the privacy of the consumer is the utility provider must conduct cyber security training for their staffs and ensure frequent audits.
Additionally, the federal privacy act contains the Australian Privacy Principles (APP), also formerly known as National Privacy and Principles. APP explains the use and storage of personal information and set restrains for organisations with 3 million Australian dollars or more annual turnover [20]. There are additional protection on the installation and data of the smart meter as stated in the National Electricity Rules.
Policy for unauthorized access and DoS
Aside from policy regarding privacy issues, law enforcing the cyber security to prevent unauthorized access issues should also be prioritized. The AMI is responsible on the measurement and collection of energy usage of the consumers, and is done through network transmission. Hence, the AMI is exposed and can be vulnerable to cyber attacks if there are no regulations on the cyber security.
A few policies can be introduced to minimise cyber security issues within the AMI. For example, a policy where the encryption of the information and cyber security protection of the AMI and grid has to exceed a certain level of security. If such policy exists, this can ensure that when the AMI is implemented, the design engineers follows a specific set of rules and ensures that the cyber security is not easily penetrated.
Additionally, the policy can also defend against unauthorized access by making sure meter protocols are implemented and for each stage of the data transmission process between the consumer and utility provider there contains encryption. Other ways to enforce the cyber security in the AMI includes implementing passwords in the smart meters according to the appropriate standards and the addition of firewalls to separate the AMI network from the internet [19].
Cyber Security Requirements
Cleveland mentioned that each cyber security issue can be grouped into their appropriate security requirements. This bond between the security requirements and threats means that solutions to the cyber security issues can be implemented easier instead of solving on each individual threat. Below are four different technical security requirements and their corresponding descriptions [2].
Confidentiality
Cleveland mentioned that in AMI, confidentiality means that consumer’s information and data is only available to the authorized operator. This is important as a consumer because of privacy issues. Without confidentiality, attackers can obtain detailed information of the consumers for example energy usage patterns. This energy usage pattern is able to give attackers information on whether the consumer is at home or not and their daily routine. To keep the consumer’s data confidential, either the AMI network needs to be encrypted so that attackers cannot easily hack or the utility provider needs to ensure the data is not shared to other third parties [2].
Integrity
According to Cleveland, integrity is to ensure the information and data received by the operator is from the correct consumer. This means that the data collected by the smart meter must not be altered or modified without authorised permission. Attackers can hack and pose as the consumers and give false information to the operator. An example is when the attackers increases the electricity demand of multiple consumers and if the generator is unable to supply that amount of power, a blackout can occur [2].
Availability
Based on Cleveland, availability is to ensure that the consumer’s information and data is always available to the authorized operator. This is especially important for smart meters as compared to the traditional meters, because the traditional meters allows estimate billing while the smart meters are not able to do that. Attackers can cause a Denial-of-Service in the AMI where the operator can not access the consumers’ information when needed. This can cause delayed information and affecting the service for the consumers. At the consumer’s site, it can cause delay to pricing and can affect consumer financially [2].
Accountability
Another important security requirement is accountability as noted by Mohassel et al. accountability is when the entities do not deny receiving information or when the entity did not receive information but say otherwise. The AMI is a large network and does not own by an entity, instead it consists of different individuals. This means that it is crucial to have synchronized timestamps for the data in the network by each entity. Weak focus on accountability can result in financial issues because one entity can declare that the data has been sent and accuse that it has been lost in the network [2, 6].
Human Factor Requirements
The cyber security issues in AMI cannot be solved with just technical and regulatory requirements. As the AMI obtains information from the consumer, the community has to be involved in reducing the issues. Additionally, requirement for personnel involved in the AMI is also necessary and will be discussed.
Awareness on cyber security
The publics knowledge on the importance of cyber security in the AMI is limited. Hence, the government and organisations involved in smart grid program should educate the public and promote awareness. If the issues of cyber security in AMI is spread out and known to the public, additional steps can be taken to reduce the vulnerability of a cyber attack. The public can take precautions, for example installing a CCTV near a smart meter. Furthermore, the government should also emphasise on the law on tampering the smart meter. This can reduce the potential attackers towards the AMI.
Other than raising awareness among the public, it is also important that personnel involved in the smart grid are familiar with the cyber security issues in AMI. This is because the personnel are involved in manufacturing, installing and maintaining the AMI and an awareness on cyber security could improve the overall cyber security in the AMI. Additionally, this can result in cyber security being prioritise when operating and implementing the smart grid [24].
Personnel training
To create awareness among personnel as stated in the above section, training programs need to be introduced. This training program should cover awareness on cyber security issues, cyber security requirements, and the appropriate actions when a cyber attack occurs [24]. A utility provider with cyber security in mind could minimise cyber security issues in AMI. Apart from that, personnel with the appropriate training will know the necessary steps to take if a cyber attack occurs to avoid further damages.
Cyber Threats in the AMI
There are many cyber security loopholes in the AMI as discussed in the above sections. Hence, attackers will find many ways to exploit the AMI based on those loopholes. Most of these attacks are mainly to gain financial benefit. Other cases of non-financial benefit attacks are usually unlikely and not practical to occur but will still be discussed. This section will cover the different ways an attacker can exploit the AMI and can be categorised into four groups; tampering on energy usage, billing others, insider threat, attempt burglary and nation state attack.
Tampering on energy usage
One reason for the deployment of the smart grid was to resolve the issue with energy theft. Although smart meters were able to eliminate the standard ways to steal energy from the traditional meter, it introduces new hacking methods via the network. With the right tools and resources, the data in the smart meter can be tampered. There are various approaches for an attacker to alter the energy usage, they include: administrative access, modifying smart meter firmware, intercepting the data transmission link.
Administrative access
Similar to the traditional meter, the smart meter stores the total energy consumption used by the household. This data can be hacked and modified via obtaining the smart meter password to grant administrative rights. Obtaining the smart meter password does not require much work for the attackers as once the smart meter is physically tampered, a device for monitoring is able to capture the passwords [13]. These passwords according to McLaughlin et al. is transmitted into the open without much security protection.
Once the attacker gained administrative rights on the smart meters, they are able to modify the total energy consumption data which then affects the electric bill. This allows the attacker to use more energy than they are actually paying. Additionally, with the administrative rights, attackers can also alter the audit logs stored in the smart meter. Audit logs are a record of timestamps when the smart meter is being accessed via administrative rights. Modifying audit logs need to be done in conjunction with total energy consumption data as it erases evidence on tampering.
Modifying smart meter firmware
Modifying the total energy consumption data using administrative access only provides a limited control over the smart meter. Hence, some attackers would choose to reverse engineer the firmware on the smart meter directly instead. When the smart meters firmware is modified, the attacker has full access on tariffs for Time of Use (TOU) pricing, event logs, received and executed commands [6, 13]. The smart meter can then be reprogramed to report fake data.
Intercepting the data transmission link
Apart from tampering on the energy usage at the smart meter end, the introduction of AMI also enables attackers to attack during the transmission of data from the consumers smart meter to the utility provider. When the data is being transmitted, it passes through several nodes, these nodes can then be targeted by the attackers if the security protocols are weak. The attackers can inject their own data into the transmitting data when it passes a node.
Before injecting false data into the network, the attackers need to first intercept the communication which is on the backhaul link. Attackers can tap a line near the first backhaul link [13]. Once this is done, the attackers are ready to inject false data by removing the original data being transmitted. However, as the AMI contains encryption in the network, the attackers are required to retrieve the encryption key which can be found in the smart meter. Instead of the smart meter accepting the data from the utility provider, the attackers can now accept via their devices and send false data. This leads to an attack technique called spoofing or masquerade as discussed previously. Additionally, attackers can attack when the utility provider and smart meter has already connected. This involves a man-in-the-middle attack at the node.
Billing others
Another method to steal energy is to bill the electricity to others instead. In order to do this, the attacker would first need to select a target (most often the targets have to be living nearby). After selecting a target, the attackers will hack into the targets smart meter to obtain identity information for example the meter IP. The attacker will then modify the data of their own smart meter to the targets meter IP. The attacker can also modify the targets smart meter to avoid the utility provider from detecting duplicate meters. This is often used by organised crime who are dealing with illegal businesses such as marijuana/cannabis farming. To maintain these farms, a large amount of electricity usage is needed, hence the attackers will resort to stealing energy to increase business revenue.
Besides billing others for financial gain, attackers can tamper the smart meter of a specific household so that the target household gets billed higher than their energy usage. For example, the target will get charged twice the cost per kWh. The attackers usually has no real motives other than to cause disturbance or for revenge.
Insider threat
The AMI system can also be exploited from within the utility provider. This can be a problem as it is not easy to detect abnormality within the utility. Insiders can either work for their own financial benefit or can be planted by the power generation provider. These insiders can either modify the pricing or the peak usage in the AMI system.
Pricing modification
An insider can modify the system at the AMI head end or the consumers end so that the pricing of electricity can then be altered to suit them. The insider can reduce the price of the electricity in an area (most likely the place the insider resides) so that the insiders electricity bill will be lower than the usual price. Furthermore, the insider will also increase the price of the electricity in another area to balance out the utilitys revenue to avoid any suspicion. This pricing modification by the insider can be done either via administrative access or physical hacking access.
Administrative access is usually done by insiders who are working in that particular department, in this case, the department which is involved in getting pricing information. They can then alter the price virtually without having to physically access the AMI head end system [12]. Physical hacking access on the other hand requires an insider who has a decent level of hacking and knowledge of the protocols involved. This is essential because they do not have administrative access and would need to bypass certain security measures.
Peak usage modification
The insider can also modify peak usage to gain financial benefit for the organization the insider is working for. Modifying peak usage is useful for power generation providers because the insider can increase the peak usage and price to produce a false electricity demand information. When the utility provider noticed that the demand for electricity increased they will then require to buy more electricity from the power generation provider. This could cause the utility provider to lose revenue and the power generation provider to increase in revenue. The possible scenario for this to happen can be when a power generation provider offers money to a personnel who desperately needs financial help to modify the data. The methods to modify peak usage is similar to modifying pricing [12].
Attempt burglary
Apart from energy theft, attackers can make money by exploiting the AMI to gain information on a target so that they can attempt a burglary. As mentioned previously, the data obtained by a smart meter specifically the energy consumption data can be used to monitor or spy on a particular household. The information once hacked tells the attacker if there is anyone home at that time. It can also be plotted on to a graph and analysed to learn about the household’s daily routine or show if the household is on vacation. The target chosen has to be someone who is wealthy as the effort put into this method for attempting burglary may not be the most efficient. One way to be able to identify a wealthy household as oppose to a not so wealthy household is to also monitor the energy consumption data. If a particular household uses more energy than an average household, means that money is not an issue for that household. Moreover, the graph also shows the number of appliances available in that household. Different peaks of the graph show different types of appliances. All of this can be done by just obtaining the energy consumption data.
Nation state attack
The AMI can also be exploited by large criminal enterprises whose goal may not just be the AMI system but to cause harm or disturbance to the surrounding. These organisations could plan to cause a disturbance in the power grid so that their final motives could succeed. The terrorist can hack via the consumers end and slowly work their way up to the AMI head end by hacking wireless communication links [12]. Furthermore, the terrorists can also exploit the weak security for AMI connectivity. The motives of this terrorists could be broken down into two groups; terror attack and manipulating the society.
Terror attack
Terrorists can target the power generation through the AMI system to cause a blackout so that their planned bombings could take place. The AMI system allows the utility provider to switch off any flow of electricity to a household if the electric bill is overdue. This feature also known as disconnect commands can be taken advantage by the terrorists where once hacked into the AMI head end, they can send an off command to any large area. Once a blackout occurs and the terrorist attack, the emergency response could be slow. The police and fire department along with the ambulance would be busy dealing with the blackout and could have a shortage of emergency forces to respond to an attack later.
Manipulating the society
An attack which involves manipulating the society may not seem reliable but the effects of it could cause emotional distress, behaviour changes and internal conflicts between the public and the government. The AMI system can be hacked by the terrorist and can modify the billing information of the consumers. This can cause economic issues among the public whereby the poor get poorer and people working in the electricity field get richer. When the public are pressured by issues regarding financial and economic instability, they tend to blame it on the government, and when the government does not appeal to the public, protest or even civil unrest could occur. This gives the attacker control on the lives of the society and must be prevented. Furthermore, the attacker can use this as a political tool to shift the tide to favour a political party during an election campaign for example.
Recommendations
This section aims to introduce a few important recommendations that could help mitigate the cyber security issues present in the AMI system and to reduce the practicality of exploiting the AMI system. Based on the practicality and severity analysis of the exploits, it is important to first address and provide recommendations to the issue which has the highest average of both practicality and severity.
Recommendations for tampering attacks
Tampering issues need to be addressed first because it is the base of all other threats hence, solving tamper issues can slow down and mitigate other cyber threats in the AMI. It is crucial for the public and personnel to be aware and fully understand the vulnerability of the AMI system. Creating awareness is the first step towards mitigating cyber security threats. The public and personnel need to be properly educated so that necessary precautions can be taken. For example, an educated consumer will notice any abnormality when monitoring their energy usage and will report it to the utility provider for investigation. Similarly, a welleducated personnel will understand the importance of cyber security and knows which part of the AMI system needs attention so that necessary security protocols can be implemented or strengthen.
For petty thefts and small groups of attackers, their main target would be the smart meter. Hence, enforcing the security at the smart meter would be the first priority. There are several recommendations to lower the threat level for tampering, one way is to strengthen the password which is used to access the smart meter. However, the password can also be obtained via monitoring the open as mentioned previously. Thus, proper security protection on the password is essential. Furthermore, although modifying the firmware of the smart meter requires a certain amount of expertise from the attacker, if the attacker is able to tamper with the firmware, the results could be severe. Thus, it is recommended to design lockable microcontrollers to prevent reinstallation of the firmware [11]. It is also recommended to encrypt the firmware in the smart meter.
The AMI communication network contains many nodes which when hacked can be used to connect all other nodes, hence, all the nodes should be encrypted. Although encrypting every node of the AMI network may seem sufficient, a stronger encryption is also needed to avoid unnecessary cyber security threat. Stronger encryption would slow down the hacking process of the attacker. The AMI network functions by constantly having to send and receive signals thus attackers can take advantage of this feature. One way to discourage attackers from launching a man-in-the-middle attack is to have all signals authenticated regardless of whether the signal is coming from the consumer or going out of the utility provider. To reinforce this method, the authentication can be made stronger for example, more complicated passwords or even biometrics.
Despite all the enforcing of the security protocols, not all utility provider would follow the same level of security measures, hence it is essential to have certain standards introduced. For example, a standard on having a stronger security protocol could help the AMI system mitigate small threats. These standards ensure that the AMI system has a minimum level of cyber security measures. However, a problem arises because the standards need to satisfy all the relevant stakeholders. This means that the stakeholders need to agree upon a common protocol and the level of cyber security. It is not as straightforward as it is for all the stakeholders to come to terms, as each stakeholder has a different view and requirement on the issue and only look to benefit themselves.
Additionally, legislations are important as it forces the implementers to take necessary cyber security precautions when designing the AMI system. These standards can then be implemented in one of the legislations to make it mandatory for the AMI system. Legislations can be used to solve the problem regarding different stakeholders requirement. When the government is more involved in regulating the cyber security in AMI, it forces all other stakeholders to take the same cyber security precautions.
Recommendations for insider attacks
Utility provider who take insider attacks for granted could face serious financial consequences. To prevent this, it is essential to create a certain level of awareness within the utility provider. The awareness could include educating personnel regarding insider threats and to mention the possibility of one to occur. Most of the problem with insider threats are that when the issue has finally been found, it is already too late. Thus, when personnel are aware of such threats, any suspicious activity or mismatch pricing information will be reported immediately. Moreover, the utility provider could perform frequent audit check ups or software integrity testing on the system. This allows, any modified data internally to be detected and actions can be taken. In addition to audit check ups, engineers at the AMI head end should also carry out regular cyber security tests to keep the cyber security protocols up to date. As the AMI system is constantly evolving, new technologies will be integrated, and the cyber security will contain more loopholes and susceptible to attacks. These tests can help address this issue because when the engineer runs the security tests on the system and it does not perform well, it will then be notified so that a better cyber security protocol can be implemented. Similar to the recommendation for tampering issue, the commands present in the utility provider needs to be authenticated and with a stronger authentication. Insiders can issue their own commands when they have gotten in to the communication network of the AMI system. By authenticating the commands, the insider would require bypassing the authentication which means it is less efficient to hack.
Recommendations for billing others and burglary
The cyber-attack of billing others and burglary involved in first obtaining the information of the consumer. Hence as mentioned previously, one recommendation is to anonymise the data of the consumer. When the consumers information is anonymous, it is harder for the hacker to track back the information hacked from the network to the original consumer. For the case of billing others, extra recommendations are required and are similar to tampering which is enforcing the security protocols at the smart meter and at the nodes throughout the network. Additionally, the meter IP of each household should also not be exposed to the open.
Recommendations for nation state attack
Nation state attack is probably the hardest threat to mitigate given the commitment and resources of the attacker. Nevertheless, there are a few recommendations to slow down such attacks or reduce the practicality of the attack so that the AMI system is a less tempting target. The utility provider could implement firewalls within the AMI network to help prevent the attackers from using consumer end to attack. A combination of the recommendations mentioned above and the recommendations here will be able to mitigate if not slow down a terrorist attack from occurring.
The nation state attack which involved manipulating of behaviour can be mitigated with awareness similar to the recommendation in tampering attacks. Educating the public and personnel on the possibility of such an attack would not only make the public more vigilant, but actions can be taken if such an event occurs.
Conclusions
The current standard grid is slowly reaching its lifetime with many problems including blackouts, this calls for a need to transition into a smart grid. South Australia which is currently facing with energy crisis is an example which could benefit from a smart grid. The purpose of this research project is to identify the cyber security issues present in the AMI, determine the requirements to reduce the cyber security issues, analyse the impact of the issues on the AMI, and to provide recommendations to the cyber threats. The introduction of communication networks within the AMI architecture has caused several cyber security issues. These cyber security issues are first identified and explained so that a list of possible attacks on the AMI can be determined. Each cyber security issue is associated with a type of attacker. It is essential to address the types of attacker so that necessary precautions can be taken towards them.
The cyber security issues can be minimised to an extent by following certain requirements. The regulatory requirements are essential in keeping the design of cyber security in the AMI up to date and works in conjunction with standards. Additionally, cyber security requirements can be used when implementing new security measures to minimise cyber security issues. It allows cyber security issues to be grouped up in to specific category of security requirements so that design engineers can easily implement security measures. Educating the public and personnel is one requirement not to be overlooked as the effect of such requirement can greatly impact the AMI system. It helps provide awareness among the public and personnel so that necessary precautions can be taken before the need for it arises.
This research explores the consequences of cyber security issues which is the exploitation of the AMI. There are many cyber threats that could or could not occur depending on the practicality of the attacks which will be analysed and given a grade. The AMI is particularly vulnerable to tampering attacks and insider threat while billing others and burglary are less likely to occur. The possibility for a nation state attack to occur on the other hand varies depending on the situation and motives of the attacker. However, it should not be taken lightly as the impact on a nation state attack is severe.
Several recommendations have been made in order to reduce the cyber threats and to ensure the AMI is less vulnerable to cyber attacks. It is mentioned that tampering attacks represent the base of all other threats, hence a proper mitigation method for tampering attacks can be used as a reference point to implement other recommendations. It is crucial to address the cyber security issues present in the AMI at an early stage of the design process as the consequences of a cyber attack is not to be taken lightly. As for existing AMI infrastructures, this project can help create certain awareness so that the necessary precautions can be taken.
As the concept of a smart grid is still fairly new to many countries, this research project can also shed some light on the cyber security issues in AMI. This project hopes to provide engineers and personnel a general reference and guide when implementing cyber security of an AMI system.
Reference
[1] J. Liu, Y. Xiao, S. Li, W. Liang and C. Chen, “Cyber Security and Privacy Issues in Smart Grids,” in IEEE Communications Surveys & Tutorials, vol. 14, no. 4, Fourth Quarter 2012. [2] F. M. Cleveland, “Cyber Security Issues for Advanced Metering Infrastructure (AMI),” Proceedings of the IEEE Power and Energy Society General Meeting: Conversion and Delivery of Electrical Energy in the 21st Century, pp. 15, 2008 [3] N.Liu, J.Chen, L.Zhu, J.Zhang and Y.He, “A Key Management Scheme for Secure Communications of Advanced Metering Infrastructure in Smart Grid,” in IEEE Transactions on Industrial Electronics, vol. 60, no. 10, October 2013. [4] R. Berthier, W. H. Sanders and H. Khurana, “Intrusion Detection for Advanced Metering Infrastructures: Requirements and Architectural Directions,” 2010 First IEEE International Conference on Smart Grid Communications, Gaithersburg, MD, 2010, pp. 350-355. [5] Y.Yan, Y.Qian and H.Sharif, “A Secure and Reliable In-network Collaborative Communication Scheme for Advanced Metering Infrastructure in Smart Grid,” in IEEE WCNC 2011. [6] R. R. Mohassel, A. S. Fung, F. Mohammadi and K. Raahemifar, “A survey on advanced metering infrastructure and its application in Smart Grids,” in IEEE 27th Canadian Conference on Electrical and Computer Engineering (CCECE), Toronto, ON, 2014, pp. 1-8. [7] N. Saputro and K. Akkaya, “On preserving user privacy in Smart Grid advanced metering infrastructure applications,” Security and Communication Networks, vol. 7, no. 1, pp. 206-220, 2013. [8] P. Deng and L. Yang, “A secure and privacy-preserving communication scheme for Advanced Metering Infrastructure,” 2012 IEEE PES Innovative Smart Grid Technologies (ISGT), Washington, DC, 2012, pp. 1-5 [9] R. Berthier, W. H. Sanders and H. Khurana, “Intrusion Detection for Advanced Metering Infrastructures: Requirements and Architectural Directions,” 2010 First IEEE International Conference on Smart Grid Communications, Gaithersburg, MD, 2010, pp. 350-355. [10] R. Shein, “Security Measures for Advanced Metering Infrastructure Components,” 2010 Asia-Pacific Power and Energy Engineering Conference, Chengdu, 2010, pp. 1-3. [11] K. Adak, J. Mohamed and S. H. Darapuneni, “Advanced Metering Infrastructure Security,” A Capstone Paper, University of Colorado, Boulder, 2010. [12] R. C. Parks, “Advanced Metering Infrastructure Security Considerations,” Sandia Report, Sandia National Laboratories, 2007 [13] S. McLaughlin, D. Podkuiko, and P. McDaniel, “Energy theft in the advanced metering infrastructure,” in Proc. the 4th International Conference on Critical Information Infrastructures Security, Springer, 2010, pp. 176-187 [14] R. Jiang, R. Lu, Y. Wang, J. Luo, C. Shen and X. S. Shen, “Energy-theft detection issues for advanced metering infrastructure in smart grid,” in Tsinghua Science and Technology, vol. 19, no. 2, pp. 105-120, April 2014. [15] Y. Mo, T. Kim, K. Brancik, D. Dickinson, H. Lee, A. Perrig and B. Sinopoli, “CyberPhysical Security of a Smart Grid Infrastructure,” in Proceedings of the IEEE, vol. 100, no. 1, pp. 195-209, Jan. 2012. [16] S. Asri and B. Pranggono, “Impact of Distributed Denial-of-Service Attack on Advanced Metering Infrastructure,” Wireless Personal Communications, vol. 83, no. 3, pp. 2211- 2223, 2015. [17] P. Yi, T. Zhu, Q. Zhang, Y. Wu and L. Pan, “Puppet attack: A denial of service attack in advanced metering infrastructure network,” Journal of Network and Computer Applications, vol. 59, pp. 325-332, 2016. [18] K. Curtis, in Speech to Thinkfuture Smart Infrastructure Conference 2010 on smart infrastructure and privacy, Parliament House, Canberra, 2010. [19] U.S. Department of Energy, “Smart Grid Legislative and Regulatory Policies and Case Studies”, U.S. Energy Information Administration, Washington, D.C., 2011. [20] “Australian Privacy Principles— Office of the Australian Information Commissioner - OAIC”, Oaic.gov.au, 2017. [Online]. Available: https://www.oaic.gov.au/privacylaw/privacy-act/australian-privacy-principles. [Accessed: 10- Sep- 2017]. [21] Australian Privacy Principles, fact sheet 17. Australia: Office of the Australian Information Commissioner, 2014. [22] Australian Privacy Principles - a summary for APP entities. Australia: Office of the Australian Information Commissioner, 2014. [23] J. Lazar and M. McKenzie, “Australian Standards for Smart Grids Standards Roadmap”, Standards Australia, pp. 1-36, 2012. [24] E. Egozcue, D. Rodrguez, J. Ortiz, V. Villar and L. Tarrafeta, “Smart Grid Security”, European Network and Information Security Agency, 2012. [25] “Stop Smart Meters Australia”, Stop Smart Meters Australia, 2017. [Online]. Available: https://stopsmartmeters.com.au/. [Accessed: 29- Sep- 2017]. [26] “Cyber Security — Energy Networks Australia”, Energynetworks.com.au, 2017. [Online]. Available: http://www.energynetworks.com.au/cyber-security. [Accessed: 18- Sep- 2017]. [27] B. Murrill, E. Liu and R. Thompson II, “Smart Meter Data: Privacy and Cybersecurity”, Congressional Research Service, 2012. [28] “Smart Meters - Advanced Metering Infrastructure Cost Benefit Analysis”, Smartmeters.vic.gov.au, 2017. [Online]. Available: http://www.smartmeters.vic.gov.au/about-smart-meters/reports-andconsultations/advanced-metering-infrastructure-cost-benefit-analysis. [Accessed: 29- Sep- 2017]. [29] C.King, “Advanced Metering Infrastructure (AMI), Overview of System Features and Capabilities”, 2004