From 1283fa1b753054af22073cac5001781b267b7b25 Mon Sep 17 00:00:00 2001 From: jaseg Date: Thu, 28 May 2020 15:38:04 +0200 Subject: ma: do intro threat section --- ma/safety_reset.bib | 38 ++++++++++++++++++++++- ma/safety_reset.tex | 89 +++++++++++++++++++++++++++++++++++------------------ 2 files changed, 96 insertions(+), 31 deletions(-) diff --git a/ma/safety_reset.bib b/ma/safety_reset.bib index c6e085f..d1f5d2f 100644 --- a/ma/safety_reset.bib +++ b/ma/safety_reset.bib @@ -895,7 +895,7 @@ @Misc{entsoe03, author = {{ENTSO-E Working Group Incident Classification Scale Under System Operations Committee}}, date = {2014}, - title = {INCIDENTS CLASSIFICATIONSCALEMETHODOLOGY}, + title = {Incidents Classification Methodology}, institution = {ENTSO-E}, } @@ -1583,4 +1583,40 @@ year = {2005}, } +@Article{hahn01, + author = {Adam Hahn and Manimaran Govindarasu}, + date = {2011}, + journaltitle = {IEEE Transactions on Smart Grid}, + title = {Cyber Attack Exposure Evaluation Framework for the Smart Grid}, + doi = {10.1109/TSG.2011.2163829}, + pages = {835-843}, +} + +@InProceedings{temple01, + author = {William G. Temple and Binbin Chen and Nils Ole Tippenhauer}, + booktitle = {2013 IEEE International Conference on Smart Grid Communications}, + date = {2013}, + title = {Delay Makes a Difference: Smart Grid Resilience Under Remote Meter Disconnect Attack}, + doi = {https://doi.org/10.1109/SmartGridComm.2013.6688001}, + journaltitle = {2013 IEEE International Conference on Smart Grid Communications}, +} + +@InProceedings{cleveland01, + author = {Cleveland, Frances M.}, + booktitle = {2008 IEEE Power and Energy Society General Meeting-Conversion and Delivery of Electrical Energy in the 21st Century}, + date = {2008}, + title = {Cyber security issues for advanced metering infrasttructure (AMI)}, + organization = {IEEE}, + pages = {1--5}, + year = {2008}, +} + +@Online{heise03, + author = {Martin Holland}, + editor = {{Heise Online}}, + date = {2018-03-19}, + title = {Cambridge Analytica: Mehrere Untersuchungen angekündigt, mögliche Billionenstrafe für Facebook}, + url = {https://www.heise.de/newsticker/meldung/Cambridge-Analytica-Mehrere-Untersuchungen-angekuendigt-moegliche-Billionenstrafe-fuer-Facebook-3998151.html}, +} + @Comment{jabref-meta: databaseType:biblatex;} diff --git a/ma/safety_reset.tex b/ma/safety_reset.tex index 179fcca..4434453 100644 --- a/ma/safety_reset.tex +++ b/ma/safety_reset.tex @@ -1,4 +1,5 @@ \documentclass[12pt,a4paper,notitlepage]{report} +\usepackage[ngerman, english]{babel} \usepackage[utf8]{inputenc} \usepackage[a4paper,textwidth=17cm, top=2cm, bottom=3.5cm]{geometry} \usepackage[T1]{fontenc} @@ -74,8 +75,7 @@ } \begin{document} - -% Beispielhafte Nutzung der Vorlage für die Titelseite (bitte anpassen): +\selectlanguage{ngerman} \input{murks} \titelen{A Post-Attack Recovery Architecture for Smart Electricity Meters} \titelde{Eine Architektur zur Kontrollwiederherstellung nach Angriffen auf Smart Metering in Stromnetzen} @@ -85,25 +85,30 @@ \gebdatum{Aus Datenschutzgründen nicht abgedruckt} % Geburtsdatum des Autors \gebort{Aus Datenschutzgründen nicht abgedruckt} % Geburtsort des Autors \gutachter{Prof. Dr. Björn Scheuermann}{Prof. Dr.-Ing. Eckhard Grass} -\mitverteidigung % entfernen, falls keine Verteidigung erfolgt %FIXME +\mitverteidigung \makeTitel -\selbstaendigkeitserklaerung{31.03.2020} +\selbstaendigkeitserklaerung{\today} \vfill +\selectlanguage{english} +{\center{ \begin{minipage}[t][10cm][b]{\textwidth} -\center{\ccbysa} + \center{\ccbysa} -\center{This work is licensed under a Creative-Commons ``Attribution-ShareAlike 4.0 International'' license. The full -text of the license can be found at:} + \center{This work is licensed under a Creative-Commons ``Attribution-ShareAlike 4.0 International'' license. The + full text of the license can be found at:} -\center{\url{https://creativecommons.org/licenses/by-sa/4.0/}} + \center{\url{https://creativecommons.org/licenses/by-sa/4.0/}} -\center{For alternative licensing options, source files, questions or comments please contact the author at -\texttt{masterarbeit@jaseg.de}}. + \center{For alternative licensing options, source files, questions or comments please contact the author at + \texttt{masterarbeit@jaseg.de}}. -\center{This is version \texttt{\input{version.tex}\unskip}. The git repository can be found at:} + \center{This is version \texttt{\input{version.tex}\unskip} generated on \today. The printed version of this + document will be marked \texttt{-dirty} due to the private personal information on the title page that is not + checked in to git. The git repository can be found at:} -\center{\url{https://git.jaseg.de/master-thesis.git}} + \center{\url{https://git.jaseg.de/master-thesis.git}} \end{minipage} +}} \newpage % Hier folgt die eigentliche Arbeit (bei doppelseitigem Druck auf einem neuen Blatt): @@ -904,7 +909,7 @@ Though there is room for the implementation of genuinely new, application-specif general state of the art is lacking behind other fields of embedded security. From this background low-hanging fruit should take priority\cite{heise02}. -Given political will these systems can readily be secured. There is only a comparatively small number of them and +Given political will these systems can readily be fortified. There is only a comparatively small number of them and having a technician drive to every one of them in turn to install a firmware security update is feasible. \subsubsection{Control function exploits} @@ -927,9 +932,9 @@ harder. One rather interesting attack on smart grid systems is one exploiting the grid's endpoint devices such as smart electricity meters. These meters are deployed on a massive scale, with at least one meter per household on -average\footnote{Some households may have a separate meter for detached properties such as a detached garage or -basement.}. Once compromised, restoration to an uncompromised state can potentially be very difficult if it requires -physical access to thousands of devices hidden inaccessible in private homes. +average\footnote{Households rarely share a meter but some households may have a separate meter for detached properties +such as a detached garage or basement.}. Once compromised, restoration to an uncompromised state can potentially be +very difficult if it requires physical access to thousands of devices hidden inaccessible in private homes. By compromising smart electricity meters, an attacker can trivially forge the distributed energy measurements these devices perform. In a best-case scenario, this might only affect billing and lead to customers being under- or @@ -941,9 +946,9 @@ contain high-current load switches to disconnect the entire household or busines unpaid for a certain period. In countries that use these kinds of systems on a widespread level, the load disconnect switch is controlled by the smart meter's central microcontroller. This allows anyone compromising this microcontroller's firmware to actuate the load switch at will. Given control over a large number of network-connected -smart meters, an attacker might thus be able to cause large-scale disruptions of power consumption\cite{anderson01}. -Combined with an attack method such as the resonance attack from \cite{wu01} that was mentioned above, this scenario -poses a serious danger to grid stability. +smart meters, an attacker might thus be able to cause large-scale disruptions of power +consumption\cite{anderson01,temple01}. Combined with an attack method such as the resonance attack from \cite{wu01} +that was mentioned above, this scenario poses a serious danger to grid stability. In places where Demand-Side Management (DSM) is common this functionality may be abused in a similar way. In DSM the smart metering system directly controls power to certain devices such as heaters. The utility can remotely control the @@ -955,28 +960,52 @@ This leads to a potentially significant role of DSM systems in the impact calcul system. DSM does not control as much load capacity as remote disconnect switches do. The attacks cited in the above paragraph still fundamentally apply. -\subsection{Attacker models in the smart grid} -% FIXME +\subsection{Practical threats} -\subsection{Practical attacks} -% FIXME +As a highly integrated system the electrical grid is vulnerable to attacks from several angles. One way to classify +attacks is by their motivation. Along this axis we found the following motives: -\subsection{Practical threats} -% FIXME +\begin{description} + \item[Service disruption.] An attack aimed at disrupting service could e.g.\ aim at causing a blackout. It could + also take aim in a more subtle way targeting a degradation of parameters such as power quality (voltage, + frequency and waveform). It could target a particular customer, geographic area or all parts of the grid. + Possible motivations range from a bored tennage hacker to actual cyberwar\cite{cleveland01,lee01}. + \item[Commercial disruption.] Simple commercial motives already motivate a wide variety of attacks on grid + infrastructure\cite{czechowski01}. Though generally mostly harmless from a cypersecurity point of view there are + instances where these attacks put the lives of both the attacker and bystanders at grave risk\cite{anderson01}. + Such attacks generally aim at the meter itself but a more sophisticated attacker might also target the + utility's backend computer-bureaucracy. + \item[Data extraction.] The smart grid collects large amounts of data on both individual consumers and on an + aggregate level. The privacy risk in individual consumer's data is obvious. On the web + data collection practices from questionable to flat-out illegal have widely proliferated for various purposes up + to manipulation of elections\cite{heise03}. Assuming criminals in this field would eschew fertile ground such as + this due to legal or ethical concerns is optimistic. Taking the risk to individual customer's data out of the + equation even aggregate data is still highly attractive to some. Aggregate real-time electricity usage data is a + potential source on timely information on things such as national social events (through TV set energy + consumption\cite{greveler01}) or just plainly the state of the economy. +\end{description} + +A factor to consider in all these cases is that one actor's attacks have the potential to weaken system security +overall. An attacker might add new backdoors to gain persistence or they might disable existing mitigations to enable +further steps of their attack. + +In this paper we will largely concentrate on attacks of the first type because they both have the most serious +consequences and the most motivated attackers. Attackers that may want to disrupt service include cyberwar operations of +enemy nation states. This type of attacker is both highly skilled and highly funded. -\subsection{Conclusion, or why we are doomed} +\subsection{Conclusion or, why we are doomed} We can conclude that a compromise of a large number of smart electricity meters cannot be ruled out. The complexity of network-connected smart meter firmware makes it exceedingly unlikely that it is in fact flawless. Large-scale deployments of these devices under some circumstances such as where they are used with load disconnect relays make them -an attractive target for attackers interested in causing grid instability. The attacker model for these devices very -definitely includes enemy states, who have considerable resources at their disposal. +an attractive target for attackers interested in causing grid instability. The attacker model for these devices includes +nation states, who have considerable resources at their disposal. For a reasonable guarantee that no large-scale compromises of hard- and software built today will happen over a span of some decades, we would have to radically simplify its design and limit attack surface. Unfortunately, the complexity of smart electricity meter implementations mostly stems from the large list of requirements these devices have to conform -with. Additionally, standards have already been written and changes that reduce scope or functionality have become -exceedingly unlikely at this point. +with. Alas, the standards have already been written, political will has been cast into law and changes that reduce scope +or functionality have become exceedingly unlikely at this point. A general observation with smart grid systems of any kind is that they comprise a departure from the decentralized control structure of yesterday's dumb grid and the advent of centralization at an enormous scale. This modern, -- cgit