Resiliency of Smart Power Meters to Common Security Attacks Academic research paper on "Computer and information sciences"

CrossMark

Available online at www.sciencedirect.com

ScienceDirect

Procedia Computer Science 52 (2015) 145 - 152

The 6th International Conference on Ambient Systems, Networks and Technologies

(ANT 2015)

Resiliency of Smart Power Meters to Common

Security Attacks

Khaled Shuaiba*, Zouheir Trabelsia, Mohammad Abed-Hafezb, Ahmed Gaoudab, and Mahmoud Alahmadc

aCollege of Information Technology, UAEU, P.O Box 15551, Al Ain, UAE

bCollege of Engineering, UAEU, P.O Box 15551, Al Ain, UAE cCollege of Engineering, University of Nebraska-Lincoln, Omaha, NE, USA

Abstract

The development of Smart Grid power systems is gaining momentum in many countries leading to massive deployment of smart meters to realize the envisioned benefits. However, there are several concerns among the consumer communities and the service providers with respect to information security when it comes to the deployment of smart meters. This paper attempts to address the main challenge related to smart grid information security by examining the resiliency of smart meters to security threats and attacks. Several common information security attacks are being used to study their impact on the performance of smart meters in a controlled laboratory environment. Results obtained showed drastic effect on the functionality of smart meters and their associated data gathering servers.

© 2015 The Authors. PublishedbyElsevier B.V.This is an open access article under the CC BY-NC-ND license

(http://creativecommons.Org/licenses/by-nc-nd/4.0/).

Peer-review under responsibility of the Conference Program Chairs

Keywords: Smart Grid Systems, DOS Attacks, MiM Attack, Smart Meters;

1. Introduction

As of today, many power grid systems are not monitored or instrumented properly and effectively for real-time applications. The concept of Smart Grids has been introduced to solve many existing problems with the current outdated power grids in most countries around the globe. Several definitions of a Smart Grid system exist. For example, the US National Institute of Standards and Technology (NIST) refers to it as "the modernization of electricity

* Corresponding author. Tel.: +97137135551; fax: +9713713 6901. E-mail address: k.shuaib@uaeu.ac.ae

1877-0509 © 2015 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license

(http://creativecommons.Org/licenses/by-nc-nd/4.0/).

Peer-review under responsibility of the Conference Program Chairs

doi: 10.1016/j.procs.2015.05.049

delivery system so it monitors, protects and automatically optimize the operation of its interconnected elements-from the central and distributed system, to industrial users and building automation systems, to energy storage installations and to end use consumers and their thermostats, electric vehicles, appliances and other household devices"1.

One main component of a Smart Grid deployment is the Advanced Metering Infrastructure (AMI) using smart meters at the consumers' premises and substations. In 2012, U.S. electric utilities had 43,165,185 smart meters installations with 89% being residential2. Worldwide, the number of installed meters will grow from 313 million in 2013 to nearly 1.1 billion in 20223. The essential functions of a typical smart meter includes: recording real-time electricity usage; transmitting this data, at intervals of 15 seconds, to the smart grid; and receiving communications from the smart grid4,5. Additional features of the smart meter include tracking data usage to identify patterns and behaviors; the ability to disconnect the customer from the power grid; alert utility company when problems occur; interface with smart appliances in a home to control their operation during peak times; and to support on-site renewable energy generation and exporting this energy to the grid via net-metering agreement6. However, with the deployment of smart meters, comes a major concern of information security related to consumers' privacy, data integrity, authentication, access control, system availability and several others. This is because smart meters are considered the weakest link when it comes to possible security breaches. This is the case, as smart meters are easier to be attacked through associated home and neighborhood networks especially when these networks rely on wireless communication technologies. For examples, researchers in7, were able to capture consumption data from 485 Automatic Meter Readers (AMR) smart meters within a 300 meter radius neighborhood by developing a simple electronic circuitry. However, an attack launched from a smart meter can have major negative effects on the overall power grid system which in some cases might result in blackouts, data corruption, accounting mistakes.. .etc. Active research to address these concerns is diverse in proposed solutions. For example in8, a method is proposed that offer anonymity to the measured data through an escrow service. In9,10, a rechargeable battery system and a customized user control are proposed to protect the privacy of the load profile in a household's electricity consumption. In11 the authors propose a privacy-enhancing architecture that will not compromise the privacy of its customers.

In this work we examine how common security attacks such as the Denial of Service (DoS) attack and the Man-in-the-Middle attack (MiM) can be exploited against smart power meters within a Local Area Network (LAN). The results shown in this paper present the negative effect such attacks can have when generated. Although these attacks are being generated within an isolated laboratory environment, generalization of such attacks to be managed remotely by hackers is possible causing the same effect.

The rest of this paper is organized as follows. In section two, background work is discussed on common security attacks. In section three, we discuss DoS attacks and in section four ARP cache poisoning attacks are discussed. Section five presents security design considerations, and section six concludes the paper.

2. Common Security Attacks

In this paper common security attacks which are usually launched against computer systems, mobile devices and other appliances with Internet connectivity are being used. The focus is on two major attacks, namely the DoS attack and the MiM attack. We investigate the use of these common attacks to evaluate the resiliency of smart power meters against such attacks. As a specific case, we investigate the cache poisoning attack on corrupting the Address Resolution Protocol (ARP) cache entries of smart meters. Hosts with corrupted ARP cache entries are usually unable to communicate properly with the other network hosts12, such as servers collecting power measurements from smart meters. Consequently, a DoS situation may emerge from corrupting the ARP cache entries of smart meters or corresponding servers. In the next sections we will introduce the DoS and MiM attacks and explain how these attacks can be launched against smart meters connected through a LAN.

2.1. DoS Attack

A DoS attack when launched against any system or component its main objective is to cripple the system ability to function as intended. Thus denying legitimate users of such a system expected services. This is usually accomplished by launching an attack to overload the system beyond its capabilities. DoS attacks are common against various systems and in most cases they can be introduced by malicious users. Most DoS attacks rely on the exploitation of vulnerabilities in the used communication protocols such as the TCP/IP protocol or the underlying data link layer

technologies and their related protocols such the variation of the wired IEEE 802.3 Ethernet technology or the various IEEE 802.11 based WiFi technologies. Next we introduce several possible DoS attacks: the TCP SYN flood attack, the Land attack and the Ping flood attack.

TCP SYN Flood Attack: A TCP SYN flood attack is realized by exploiting a weakness in the TCP protocol and it can be used to make a host/server processes unable to reply to legitimate client applications' requests. This can be achieved through the initiation of TCP SYN packets to build incomplete connection requests. The incomplete initiations of connection requests are done through the three-way-hand shake process which is part of the TCP connection establishment mechanism between two hosts (a client, i.e. Smart meter and a server) trying to exchange information or for one to provide a service to the other. The simplified three way hand shake process involves the exchange of three messages, SYN, SYN-ACK and finally an ACK to finalize the connection for data exchange. Incomplete hand shake initiations i.e. connection initiators not responding to the server SYN-ACK messages to complete the three was hand shake process cripple the server ability to function as expected. When the server has so many of these intentionally introduced connections not resolved, its built-in finite size data structure responsible for all such pending connections causing it to stop serving any legitimate clients. The attacker will have its system send SYN messages to the server. These messages will appear as if they were coming from legitimate users by using source addresses spoofed from the network address space the client is connected to. As a result of this, the server will have difficulty determining the identity of the true attacker when it receives this flood of SYN packets.

Land Attack: A Land attack occurs when the attacker combines a SYN flood attack with IP spoofing. This is achieved by sending spoofed SYN packets which contain the IP address of the targeted victim as both the source and destination IP addresses. This causes the target victim system to send responses to itself forming what is known as loop connections. These connections will only terminate when the set timeout per connection expires. Flooding a system with such loop connection messages can overwhelm the system, causing it not to respond to legitimate connections i.e. creating a DoS attack condition. In this case, the target host can be either the smart meter or the data collection server.

Ping Flood Attack: A Ping flood is an attack through which the targeted victim system becomes overloaded with ICMP Echo Request (ping) packets13. This is most effective when using the flood option of Ping which sends ICMP packets as fast as possible without waiting for replies, thus consuming all available bandwidth. Most implementations of Ping require the user to be privileged in order to specify the flood option. If the target system is slow enough, it is possible to consume enough of its CPU cycles for a user to notice a significant slowdown.

2.2. Man-in-the-Middle (MiM) attack

MiM is one of the most common attacks which can be used as an active or passive attack. In its most obvious forms, a MiM attacker uses a tool to intercept network traffic between two communicating parties, for example, a smart meter and it associated server. The attacker then can perform a range of malicious actions depending on its intensions. For example, the used tool can only be used for traffic analysis causing no real disruption to either parties. On the other hand, the used tool can be used to modify the data exchanged traffic, redirect it to another malicious host, inject fake information or simply delay the data flow. In a smart grid environment, this kind of attack can compromise not only the integrity of power consumption data, but it can also jeopardize the privacy of consumers' information such as account data, electricity usage, name and address and payment information.

In this work we focus on performing a MIM sniffing attack to re-route exchanged network traffic between two target hosts to a malicious host which will forward to the original intended destination without any noticeable delay. This will make it difficult for the target hosts to notice that their traffic is being sniffed by a malicious attacker. This is performed in a switched LAN environment by corrupting the ARP cache entries of the target hosts using an ARP cache poisoning mechanism. Known as an ARP cache poisoning attack, a malicious host in a LAN introduces a spurious IP address to MAC address mapping in the ARP cache of another host. This is done by direct manipulation of the ARP cache of a target victim host, independently of its sent ARP messages. The malicious host does that by either adding a new fake entry in the ARP cache of the target victim host, or by updating an already existing entry using fake IP and MAC addresses12. In a MiM attack, the malicious user first enables its host's IP packet routing functionality thus becoming a router to redirect and forward intercepted packets, then, using the ARP cache poisoning mechanism, the malicious host corrupts the ARP cache entries of the two target hosts, forcing them to forward data traffic through it.

3. Robustness of Power Smart Meters against DoS Attacks

In this experiment, we investigated the effect of the aforementioned common DoS attacks on the performance of two types of smart meters, namely Power Quality Meter SHARK 200 Meter14 and Power Nexus 1500 Meter15. The experiment was performed by launching the DoS attacks on the smart meters, and then studying their robustness against such attacks, by analyzing their response time and their ability to properly communicate with the smart meter server while they are under the attacks. Fig. 1 shows the wired network architecture used in the experiment. A DoS attack generator host, a smart server, a smart meter are all connected to a layer 2 switch using the same subnet.

IP@= 10.10.10.19 MAC @= 00:23:8b:da:73:ec

IP@= 10.10.10.2 MAC @= 00:01:58:00:96:62

Smart Meter

Attack Host

IP @= 10.10.10.4 MAC @= 00:19:b9:48:6f:a3

Fig. 1. Network architecture within a lab

3.1. Building DoS Attack Traffic

Packet generator tools can be used to build Land attack traffic/packets. For example, using CommView Visual Packet Builder16, spoofed TCP SYN packets can be used to build Land attack packets. Similarly, Ping flood attack packets can be generated using the same tools. ICMP echo request packets can be used to build the Ping flood attack traffic. The generated ICMP echo request packets can flood the target smart meter at rates higher than 5000 packets per second. On the other hand, several tools can be used to generate SYN flood attack packets. As an example, Fig. 2 shows the SYNflood tool's command line used to generate a SYN flood attack. A flood of fake TCP SYN packets is sent to the target host. These kinds of attacks can either be launched individually or simultaneously by the same attacking host, thus causing a more drastic effect. The following subsection discusses the results of the performed experiments in our lab utilizing tools to generate such attacks.

Illll.t'Xt

SToolsSSVN Flood> D:SToolsSSVN Flood> Is : F

SToolsSSVN Flood>synflood -interface 2 -ip_destination 10.10.10.5 -loops O

nFlood - Se|i SVN TCP it}i spool ig 5P Sou ;e - Ui! in 2.3.3.If) Create on July 2,. /11" ) r liast compilation on August 26, 2006 Created by sebastien .ftmtainePfriweip.com

The SVN SVN e SVN SVN e SVN SVN i SVN SVN e SVN SVN e SVN SVN e SVN SVN : SVN

was was was was was was was was was was was was was was TCP was

115.3.4S.144:35118 to 10.10.10.5:80 69 Bytes

60.1 ¡.0< 12363 1 . . 0.5:80 69 By täte»

216 03 ' 1.150::] 101 ■ L0 .¡iE"; 69 Bytes

. : 23 !2:2< t, L0.lt -6 Byte

138.247 62 : 1:47995 0.10.5:80 65 Bytes

8 ■ .143:550: :o LI :80 69 lytès

33: ¡08:3228' I I L0.5:80 69 B ; es

. 0 .24' ■ ■ 2 )2 11 L0.1f -6 Byte

L99 88.228.199:65298 te L0.10.5:80 69 ByteS >3.224 60.237:216' 10.10 . . 10 h'i lyte 108 63 75.230:156' 1.10.5:80 i9 BytfS

6E 141- 20' 57869 toll :80 69 lytès

15.25 151 45 : i'ï'.îîï t L0 0.5:80 I ¡h s 243.235 S8 40:51321 ti L0.16 .0.5:86 69 Bytes !3 !86: IB ' ' 30 69 Bytes

Fig. 2. SYN flood attack traffic generated using SYNflood tool 3.2. Results from DoS Attacks

The results of conducted experiments demonstrated clearly that DoS attacks had a significant negative effect on

the smart meters' performance. Briefly, few seconds, after launching a DoS attack, Ping echo requests were sent (ICMP echo requests) to the smart meters. However, responses from these meters to these Ping echo requests were very slow, and in some cases there were no responses as the meters disconnected often from the network, particularly when the attack traffic rate increased significantly. For example, Fig. 3 shows how ping response times increased considerably after launching the DoS attacks to reach over 200 milliseconds. In addition, the percentage of packets lost increased dramatically, to reach more than 24%. This is due to the smart meter becoming overwhelmed trying to respond to the traffic flood of ICMP packets generated by the attack and consequently became incapable of processing legitimate Ping echo requests. In addition, when the rate of a DoS attack traffic increases considerably, smart meters may crash and disconnect from the network. This demonstrates clearly that the tested smart meters are vulnerable to common DoS attacks, and have no security protection mechanism to countermeasure against such attacks.

Fig. 3. Response time of the Power Quality Meter SHARK 200 before and during the DoS attacks (X-axis is the number of ICMP echo request packets, Y-axis is the response time in millisecond).

4. Robustness of Power Smart Meters against ARP Cache Poisoning Attacks

In this section, we investigated the effect of ARP cache poisoning attack on the entries of the smart meters' ARP cache tables. The conducted experiment consists of attempting to corrupt the smart meters' ARP cache tables with fake entries, using fake ARP request packets. ARP cache poisoning attack is usually used to perform DoS attack or traffic rerouting. That is, network devices with corrupted ARP cache entries may not be able to communicate properly with the other network hosts, or their traffic is rerouted to a non-legitimate destination for sniffing purposes, before it is forwarded to the legitimate destination.

Building ARP Cache Poisoning Attack Packets: In this attack, the attacker host sends fake ARP request packet to the target device, smart meters or its associated server, in order to inject fake IP/MAC entries in its ARP cache. Two attack scenarios were performed as described below using the ARP cache poisoning attack technique.

Attack scenario #1: The objective of this attack is to corrupt the ARP cache of the smart meter by inserting a fake IP/MAC entry. Practically, the fake IP/MAC entry assigns a non-existent MAC address to the IP address of the smart meter associated server, so that the network traffic sent by the smart meter will not reach the server. Fig. 4 shows an example of such a fake ARP request built using CommView Visual Packet Builder tool. The fake ARP packet intends to corrupt the ARP cache of the smart meter by assigning the non-existent MAC address (11.11.11.11.11.11) to the IP address of the server (10.10.10.19). Hence, if the smart meter's ARP cache is vulnerable to the ARP cache poisoning attack, the fake ARP request will be performed successfully. Consequently, the smart meter will be denied from

communicating properly with the server. The results of the conducted experiment demonstrate clearly that the two tested smart meters were vulnerable to the ARP cache poisoning attack, since the generated fake ARP request packets succeeded to corrupt their ARP caches preventing them from communicating properly with the associate server.

10.10.10.19

^^^^ Smart ^^^ meter

Corruption of the smart meter's ARP cache

Corrupted ARP Cache

IP address MAC address

10.10.10.19 11:11:11:11:11:11:11

Attack host

Fig. 4. Smart meter's corrupted ARP cache

Attack scenario #2: In this attack scenario, the attacker host attempts to corrupt both the ARP caches of the target smart meter and its associated server, using the APR cache poisoning technique. The objective of this attack is to reroute the network traffic exchanged between the smart meter and the smart server to a non-legitimate destination, which is the attacker host. Once the rerouted traffic is sniffed by the attacker host, it is then forwarded to the legitimate destination. To perform this kind of MiM attack, the attacker host needs to enable its IP routing feature. Then, the attacker host proceeds to corrupt the ARP caches of the smart meter and server by sending fake ARP requests, as shown in the Fig. 5.

Fig. 5. Corrupted ARP caches for performing MiM attack

The results of this experiment demonstrate clearly that the attacker host succeeded to reroute the traffic exchanged between the smart meter and the server, using the ARP cache poisoning attack. For example, Fig. 6 shows that the traffic sent by the smart meter to the server goes first to the malicious host (MAC @= 00:19:b9:48:6f:a3), then it is forwarded to the server (MAC @= 00:23:8b:da:73:ec), creating a MiM attack situation. Overall, all the conducted experiments show clearly that the tested two smart meters and associated servers running associated smart grid application software are vulnerable to common DoS attacks as well as to the ARP cache poisoning attacks. Hence, the tested smart meters and associated servers can be easy targets of common network attacks which might compromise secure communication for exchanged smart grid data.

4.1. Malicious manipulation of the Modbus protocol's data field

The Modbus protocol is a master/slave protocol used smart meters and associated server to establish connection and exchange data. Usually, Modbus communication requires the establishment of a TCP connection between a client (e.g. Smart meter) and a server. Normally, TCP-Port 502 is used, which is reserved for Modbus communication. Fig. 7 shows the general form of a Modbus message. Fig. 8 shows an example of a Modbus message that has been rerouted to the malicious host (10.10.10.4) following the MiM attack discussed in the previous section. Hence, knowing the form of a Modbus message, the attacker host can falsify the data field of the received Modbus message and forward the message to the legitimate destination. This attack which is also known as data injection attack is considered very dangerous as fake data from smart meters can be sent to the smart grid power provider falsifying any real true data. Consequences of such an attack can lead to wrong important decisions being made based on fake and/or misleading

Fig. 6. Packet rerouting following a MiM attack

Device address Function Data CRC check

8 bits 8 bits n * 8 bits 16 bits

Fig. 7. Modbus General Message Form 5. Security Smart Meters Design Consideration

The security analysis conducted in this paper shows that the tested smart meters have been designed without security consideration to countermeasure against the two main common security attacks, namely the DoS and the ARP cache poisoning attacks. Hence, smart meters can be easy targets of malicious network traffic and users. Usually, smart meters are designed to offer ease to use and practical user interfaces with an effective cost model in mind. However, our work in this paper shows that the tested smart power meters lack basic security functions, such as packet filtering capabilities and integrated Intrusion Detection/Prevention functionalities to detect and prevent possible malicious attacks or simple passive monitoring attacks. Consequently, their availability and efficiency may become questionable within an implementation of a secure smart grid network. The following basic security considerations should be taken into account when designing secure smart meters to limit the effect of common network attacks: (1) smart meter should allow for packet filtering to filter network packets, such as blocking all incoming ping requests. (2) ARP cache of smart meter should be made static, so that malicious ARP packets cannot update its contents with fake IP/MAC entries. This would allow protecting the smart meter from DoS attacks and MiM attack based on ARP cache poisoning attack. (3) network traffic with high-speed rate targeting smart meters should be denied from reaching the kernel of the meters. This would allow protecting the meters from many common DoS flood attacks. Smart meters with intrusion detection capabilities should be able to use basic common attack signatures and download new attack signatures. (4) smart meters should be equipped with encryption capabilities. This will prevent malicious users from being able to spy and analyze the exchanged network traffic between the smart meters and associated servers.

Fig. 8. Example of rerouted Modbus message

6. Conclusions

This paper investigated the effect of various common information security attacks on the performance of smart meters. Experiments are conducted using DoS and ARP cache poisoning attacks. The experiments results demonstrate how the tested smart meters lack needed security functionalities, such as firewall based packet filtering and Intrusion Detection/Prevention mechanisms. In order to enhance the availability and efficiency of smart meters and implement secure smart grid systems, several security functions should be incorporated into smart meters, mainly network packet filtering, intrusion detection and encryption capabilities. Our future work will focus on exploring other possible attacks, examine different network infrastructure scenarios and on the development of a data manipulation and injection tool tailored toward the Modbus protocol.

References

1. G. Arnold and D. V. Dollen, Report to NIST on the Smart Grid Interoper. Standards Roadmap", EPRI, Tech. Report 2009.

1. Advanced Metering Infrastructure installations in the U.S.A., http://www.eia.gov/tools/faqs/faq.cfm?id=108&t=3

2. Number of Smart meter installations, worldwide, http://www.navigantresearch.com/newsroom/the-installed-base-of-smart-meters-will-surpass-1-billion-by-2022

3. Congressional Research Service, "Smart Meter Data: Privacy and Cybersecurity", http://www.fas.org/sgp/crs/misc/R42338.pdf

4. K. Shuaib, I. Khalil, M. Abdel-Hafez, "Communications in Smart Grid: A Review with Performance, Reliability and Security Consideration", Journal of Networks, Vol. 8, Issue 6, June, 2013.

5. McDaniel, Patrick, and Stephen McLaughlin. "Security and privacy challenges in the smart grid." IEEE Security and Privacy 7.3 (09): 75-77.

6. I. Rouf, H. Mustafa, et al., "Neighbourhood watch: Security and privacy analysis of automatic meter reading systems," ACM CCS, 2012.

7. Efthymiou, Costas, and Georgios Kalogridis. "Smart grid privacy via anonymization of smart metering data." Smart Grid Communications (SmartGridComm), 2010 First IEEE International Conference on. IEEE, 2010.

8. Varodayan, David, and Ashish Khisti. "Smart meter privacy using a rechargeable battery: Minimizing the rate of information leakage." Acoustics, Speech and Signal Processing (ICASSP), 2011 IEEE International Conference on. IEEE, 2011.

9. Kalogridis, Georgios, et al. "Elecprivacy: Evaluating the privacy protection of electricity management algorithms." Smart Grid, IEEE Transactions on 2.4 (2011): 750-758.

10. Molina-Markham, Andrés, et al. "Private memoirs of a smart meter." Proceedings of the 2nd ACM workshop on embedded sensing systems for energy-efficiency in building. ACM, 2010.

11. Z. Trabelsi, and K. Shuaib, A novel Man-in-the-Middle intrusion detection scheme for switched LANs, The International Journal of Computers and Applications. Vol. 3, No. 3 (2008), pp. 234-243.

12. Trabelsi, Z., Hayawi, K., Al Braiki, A., and Mathew, S. Network attacks and defences: A hands-on approach. CRC Press, 2013.

13. Power Quality Meter SHARK 200 Meter, http://www.electroind.com/shark200-data-logging-power-meter.html.

14. Power Nexus 1500 Meter, http://www.electroind.com/nexus1500.html.

15. CommView Visual Packet Builder, http://www.tamos.com.