Smart Grid Security David Brumley Assistant Professor of ECE & CS 1 The Smart Grid Tightly Couples Traditional Energy Systems with Computer Science Energy Systems Computer Science 2 Within Traditional Provider Infrastructure Unprecedented Levels of Communication and Coordination Homes Net Between Providers Network Critical Systems C&C of Existing Appliances Provider and Home Network Mobile Devices 3 Unprecedented Avenues for Attack Evil David Net Homes Coalition of Evil David’s Evil David Old Days: Impersonate device 4 Security Necessary Unintuitive Fact: Adding security and privacy requires redesign (not just “adding it in”) Islanding Integration with HAN Updatable Meters Requires Redesign Hourly Metering New Functionality 5 “An attacker with $500 of equipment ... could take command and control of the [advanced meter infrastructure] allowing for the en masse manipulation of service to homes and businesses.” ‐ IOActive, March 21, 2009 B Buggy AMI P Patched AMI Patching Fixes Security Problems 6 Patches Help Attackers − Evil David Evil David Delayed Patch Attack Evil David Use Patch to Gets Reverse Patch Engineer Bug T1 T2 Attack Unpatched Users Evil David’s Timeline Automatic Patch-Based Exploit Generation: I can automatically reverse engineer the patch and create exploits in minutes Minutes Gets Patch T1 Reverse Engineer Bug & Create Exploit T2 Attack Unpatched Users Evil David’s Timeline Example B read input if input % 2==0 F T s := input + 3 s := input + 2 ptr := realloc(ptr, s) • All integers unsigned 32‐bits • All arithmetic mod 232 • B is binary code Example B input = 232-2 read input 232-2 % 2 == 0 if input % 2==0 F T s := input + 3 s := input + 2 ptr := realloc(ptr, s) s := 0 (232‐2 + 2 % 232) ptr := realloc(ptr,0) Using ptr is a problem Example B read input Wanted: s > input if input % 2==0 F T s := input + 3 s := input + 2 Integer Overflow when: ¬(s > input) ptr := realloc(ptr, s) B Patch read input P read input if input % 2==0 F if input % 2==0 T s := input + 3 s := input + 2 F T s := input + 3 ptr := realloc(ptr, s) s := input + 2 if s > input F Error T ptr := realloc(ptr, s) B Patch read input P read input if input % 2==0 F if input % 2==0 T s := input + 3 s := input + 2 F T s := input + 3 ptr := realloc(ptr, s) s := input + 2 if s > input T F Error ptr := realloc(ptr, s) Exploits for B are inputs that fail new safety condition check in P (s > input) = false Real Microsoft Patches (only given binary code) ASPNet_Filter Information Disclosure 29 sec GDI Hijack Control 135 sec PNG Hijack Control 131 sec IE COMCTL32 (B) Hijack Control 456 sec IGMP Denial of Service 186 sec Can you patch all your AMI systems in under 29 seconds? Current Research: Fully Automated Exploit Generation Given program, find bugs, generate exploits Program (Firmware, Binary Code) DoS Exploit Generation Eavesdrop Take Control All Exploits Automated Attacks Will Be the Norm Other Research Interests at CMU: Privacy in Smart Meters • Utilities can tell: – When people are home – What they are doing – How many people • New business models, e.g., targeted advertisements, market research, etc. • Police may subpoena – Tracking – Find “unusual” power draws • How do we balance with user privacy? 17 Energy Systems AMI Computer Science Access Control Software Security Home Area Network Network Security Cryptography Distributed Control Systems Trusted Computing Physical Plants SCADA Usability & Privacy Threat Analysis 18 Security Already Needed “The NRC confirmed that in January 2003, the … Slammer worm infected a computer network at the idled Davis‐Besse nuclear power plant in Oak Harbor, Ohio, disabling a safety monitoring system for nearly 5 hours and the plant’s process computer for about 6 hours.” ‐ http://www.gao.gov/new.items/d08526.pdf “Hacking The Smart Grid” ‐ DefCon 2009, by Tony Flick “it is paramount that smart grid devices and interoperability standards include protections against cyber intrusions .. that are designed from the start (not patches added on).” ‐ Patricia Hoffman, US DOE, in Testimony to House, July 23 2009 19 Invitation to Collaborate 1. If not now, when? – – Researchers (and attackers) will certainly have access to things once deployed Minimal collaboration so far 2. Design‐in security for reliability and safety – Post‐Hoc Vulnerability Assessment Insufficient (it doesn’t even work for security companies) 20 Bug Prioritization Linux has > 53,000 bugs. Which should be fixed first? Critical, widely deployed program or device Good David Exploit Generation Bugs to Fix First DoS Control Hijack All Exploits Verified Safe Invitation to Collaborate 1. If not now, when? – – Researchers (and attackers) will certainly have access to things once deployed Minimal collaboration so far 2. Design‐in security for reliability and safety – Post‐Hoc Vulnerability Assessment Insufficient (it doesn’t even work for security companies) 3. Future‐proof security for envisioned services and business models – Adding a primitive now during design will save $$$ later 22 AAccccee ssss CCoo nnttrrooll CCrryypp ttooggrraa pphhyy Ussaabb U iilliittyy & & PPrr iivvaaccyy SSooffttw waarree SSeeccuu rriittyy N Neettw woorrkk SSeeccuu rriittyy TTrruusstt eedd CCoo m mppuu ttiinngg TThhrree aatt AAnn aallyyssii ss Thank You dbrumley@cmu.edu http://www.ece.cmu.edu/~dbrumley SCADA Home Area Network Advanced Metering Infrastructure Distributed Control Systems Physical Plants 23