300 likes | 415 Views
Unified Architecture for Large-Scale Attested Metering. Michael LeMay George Gross Carl Gunter Sanjam Garg. Outline. Introduction Advanced Metering Overview Threat Model Security Architecture Application to Threat Model Future Work. Introduction.
E N D
Unified Architecture for Large-Scale Attested Metering Michael LeMay George Gross Carl Gunter Sanjam Garg
Outline • Introduction • Advanced Metering Overview • Threat Model • Security Architecture • Application to Threat Model • Future Work
Introduction • Problem: Advanced Meters exhibit a number of security and privacy vulnerabilities • Project Objective: Create a secure, private, and extensible architecture for future advanced meters • Approach: Attested Metering: Apply Trusted Computing (TC) and virtualization technology to secure Advanced Metering network communications and computation
Advanced Metering Infrastructure (AMI) • Advanced Meters: Electronic utility meters with bidirectional network connections to the Meter Data Management Agency (MDMA) • Network types: • RF wireless (ZigBee/802.15.4, Wi-Fi/802.11, proprietary) • Power-Line Communication (PLC) • Broadband over PowerLines (BPL) • Cellular (CDMA, GSM) • Phone line • Benefits: • Customer control • Demand response • Improved reliability
Advanced Meter Functions • Read data such as kWh consumption • Disconnect/reconnect power remotely • Request demand response from premise • Execute diagnostics • Reset meter (change season mode) • Set date/time • Clear tables • Log in (username/password) • Log out
Partial threat model • Unethical customer • May attempt to modify metering messages to steal service • Has legitimate physical access to meter, could modify it • Overly-intrusive MDMA • Could use high-resolution metering data to determine behavior of metered residents • Publicity seeker • Cracker or virus author seeking physical disruption to garner publicity Hart, 1989; Residential energy monitoring and computerized surveillance via utility power flows
Security Architecture • Use hypervisor on embedded processor to isolate metering applications • Control network communications to external entities to prevent undesirable data leakage • Use remote attestation to guarantee integrity of system components and individual VMs
Approach: Unethical Customer • Review: • May attempt to modify metering messages to steal service • Has legitimate physical access to meter, could modify it • Remote attestation with virtualization verified by MDMA to ensure software was not tampered • Physical tampering important (and very common) but mostly outside our scope • Sometimes detectable if customer cuts connection to meter, causing outage notification to be transmitted
Approach: Intrusive MDMA Measurement What software are you running? 0x5413bcd731a4,0x8baaaf53,… Certify the software and TPM. 0x5413bcd731a4 OK, I trust you to calculate the bill. Measurement Measurement Measurement 11
Future Work • Address issues surrounding software distribution, updates, and removal • Port to embedded architecture such as ARM or Atmel AVR, or other microcontroller used in modern meters • Define and address key management issues • Explore security-critical value-added applications for advanced meters, such as emergency network retasking
Questions? • Website • http://seclab.uiuc.edu/attested-meter • Michael LeMay • mdlemay2@cs.uiuc.edu • George Gross • gross@uiuc.edu • Carl A. Gunter • cgunter@cs.uiuc.edu
AMI (cont.) • Standards: • ANSI C12.19: • Specifies how data is laid out in a meter, in terms of predefined tables • Meter functions invoked by writing to special table and reading results from other tables • ANSI C12.18: • Specifies how C12.19 tables are accessed using an optical port (or RS-232 in rare cases) • ANSI C12.22: • Similar to C12.18, but works with any network C12.18 port
Virtualization • Hypervisors, or Virtual Machine Monitors (VMMs), run entire guest operating systems in isolated system partitions • Provide strong isolation between guests to prevent software by one vendor from interfering with software by another vendor 21
Trusted Computing Problem • Software is controlled by machine operator • Machine operator, software distributor, or attacker can maliciously subvert software • Modify binary • Run on untrusted hardware • Attach debugger to monitor operation • Software publisher has no assurance that software is being used in unmodified state, as intended 22
Remote Attestation • Uses keys and Platform Configuration Registers (PCRs) embedded in Trusted Platform Module (TPM) to attest to integrity of system configuration • Possible assurances: • System running trusted software • System equipped with valid TPM • Applications can also attest to the states of specific data files
Approach: Curious Eavesdropper • Review: • Someone casually spying on neighbor • Probably wouldn’t go beyond scripted attack tools • Use network technologies that support per-link encryption, not network-wide shared keys • If necessary, use cryptographic tunnels
Approach: Motivated Eavesdropper • Review: • Thief, criminal seeking intelligence on victims • May be willing to physically modify hardware • “Soft” attacks addressed by strong encryption. • Physical attacks important but outside our scope
Approach: Active Attacker • Review: • Wants to destabilize grid or cause blackout • Could perform DoS to block demand reduction signals • Could directly attack remote disconnect function on many meters to disconnect homes and businesses • Properly authenticate and authorize MDMA, customer, and any other entities with access to control functions on meters.
Prototype Hardware • Hardware: • Dell laptop with TPM and USB ZigBee interface emulating meter • RS-232 connected ammeter • USB-connected UPS emulating battery backup, outage detection, and frequency measurement • X10 home automation devices • Desktop PC with RS-232 ZigBee interface emulating customer PC or MDMA
Prototype Software • Java implementation of ANSI C12.19 with C12.22 • Xen Virtual Machine Monitor • Linux Integrity Management Architecture (IBM) • TrouSerS: IBM Linux TCG Software Stack • jTSS: Java wrapper for TrouSerS
Prototype Applications • Consumer portal • Provides realtime data about energy usage, demand response actions, and audit logs to customer • Allows customer to: • Verify operation of external network filter • Monitor transmissions from VMs • Check audit logs for administrative actions performed on meter
Prototype Applications (cont.) • Meter Data Management VM • Provides billing data, outage & restoration notifications, and maintenance information to MDMA • Accepts price schedules from MDMA • Demand Response VM • Processes direct Demand Response (DR) requests from MDMA VM • Enacts customer DR preferences based on price signals received from MDMA VM
How can you help us? • Please give us feedback! • Visit our website for more information: http://seclab.uiuc.edu/attested-meter • We welcome donations of metering hardware and software • Helps us to understand capabilities of practical devices • Directs our research to help solve actual problems in real devices