Smart Grid Security David Brumley Assistant Professor of ECE & CS 1

advertisement
Smart Grid Security
David Brumley
Assistant Professor of ECE & CS
1
The Smart Grid Tightly Couples Traditional Energy Systems with Computer Science
Energy Systems
Computer Science
2
Within
Traditional Provider Infrastructure
Unprecedented
Levels of Communication and Coordination
Homes
Net
Between Providers
Network Critical
Systems
C&C of Existing
Appliances
Provider and Home
Network
Mobile Devices
3
Unprecedented
Avenues for Attack
Evil David
Net
Homes
Coalition of Evil David’s
Evil David
Old Days: Impersonate device
4
Security Necessary
Unintuitive Fact:
Adding security and privacy requires redesign
(not just “adding it in”)
Islanding
Integration with HAN
Updatable Meters
Requires Redesign
Hourly Metering
New Functionality
5
“An attacker with $500 of equipment ... could take command and control of the [advanced meter infrastructure] allowing for the en masse manipulation of service to homes and businesses.”
‐ IOActive, March 21, 2009
B
Buggy AMI
P
Patched AMI
Patching Fixes
Security Problems
6
Patches Help Attackers
− Evil David
Evil David
Delayed
Patch
Attack
Evil David
Use Patch to
Gets
Reverse
Patch Engineer Bug
T1
T2
Attack Unpatched Users
Evil David’s Timeline
Automatic Patch-Based
Exploit Generation:
I can automatically reverse
engineer the patch and create
exploits in minutes
Minutes
Gets
Patch
T1
Reverse Engineer Bug
& Create Exploit
T2
Attack Unpatched Users
Evil David’s Timeline
Example
B
read input
if input % 2==0
F
T
s := input + 3
s := input + 2
ptr := realloc(ptr, s)
• All integers unsigned 32‐bits
• All arithmetic mod 232
• B is binary code
Example
B
input = 232-2
read input
232-2 % 2 == 0
if input % 2==0
F
T
s := input + 3
s := input + 2
ptr := realloc(ptr, s)
s := 0 (232‐2 + 2 % 232)
ptr := realloc(ptr,0)
Using ptr is a problem
Example
B
read input
Wanted:
s > input
if input % 2==0
F
T
s := input + 3
s := input + 2
Integer Overflow
when:
¬(s > input)
ptr := realloc(ptr, s)
B
Patch
read input
P
read input
if input % 2==0
F
if input % 2==0
T
s := input + 3
s := input + 2
F
T
s := input + 3
ptr := realloc(ptr, s)
s := input + 2
if s > input
F
Error
T
ptr := realloc(ptr, s)
B
Patch
read input
P
read input
if input % 2==0
F
if input % 2==0
T
s := input + 3
s := input + 2
F
T
s := input + 3
ptr := realloc(ptr, s)
s := input + 2
if s > input
T
F
Error
ptr := realloc(ptr, s)
Exploits for B are inputs that fail
new safety condition check in P
(s > input) = false
Real Microsoft Patches
(only given binary code)
ASPNet_Filter
Information Disclosure
29 sec
GDI
Hijack Control
135 sec
PNG
Hijack Control
131 sec
IE COMCTL32 (B)
Hijack Control
456 sec
IGMP
Denial of Service
186 sec
Can you patch all your AMI systems in under 29 seconds?
Current Research:
Fully Automated Exploit Generation
Given program, find bugs, generate exploits
Program
(Firmware,
Binary Code)
DoS
Exploit
Generation
Eavesdrop
Take
Control
All Exploits
Automated Attacks Will Be the Norm
Other Research Interests at CMU:
Privacy in Smart Meters
• Utilities can tell:
– When people are home
– What they are doing
– How many people
• New business models, e.g., targeted advertisements, market research, etc.
• Police may subpoena
– Tracking
– Find “unusual” power draws
• How do we balance with user privacy?
17
Energy Systems
AMI
Computer Science
Access Control
Software Security
Home Area Network
Network Security
Cryptography
Distributed Control Systems
Trusted Computing
Physical Plants
SCADA
Usability & Privacy
Threat Analysis
18
Security Already Needed
“The NRC confirmed that in January 2003, the … Slammer worm infected a computer network at the idled Davis‐Besse nuclear power plant in Oak Harbor, Ohio, disabling a safety monitoring system for nearly 5 hours and the plant’s process computer for about 6 hours.”
‐ http://www.gao.gov/new.items/d08526.pdf
“Hacking The Smart Grid”
‐ DefCon 2009, by Tony Flick “it is paramount that smart grid devices and interoperability
standards include protections against cyber intrusions
.. that are designed from the start (not patches added on).”
‐ Patricia Hoffman, US DOE, in Testimony to House, July 23 2009
19
Invitation to Collaborate 1. If not now, when?
–
–
Researchers (and attackers) will certainly have access to things once deployed
Minimal collaboration so far
2. Design‐in security for reliability and safety
–
Post‐Hoc Vulnerability Assessment Insufficient (it doesn’t even work for security companies)
20
Bug Prioritization
Linux has > 53,000 bugs.
Which should be fixed first?
Critical, widely deployed program or device
Good David
Exploit
Generation
Bugs to
Fix First
DoS
Control
Hijack
All Exploits
Verified
Safe
Invitation to Collaborate 1. If not now, when?
–
–
Researchers (and attackers) will certainly have access to things once deployed
Minimal collaboration so far
2. Design‐in security for reliability and safety
–
Post‐Hoc Vulnerability Assessment Insufficient (it doesn’t even work for security companies)
3. Future‐proof security for envisioned services and business models
–
Adding a primitive now during design will save $$$ later 22
AAccccee
ssss CCoo
nnttrrooll
CCrryypp
ttooggrraa
pphhyy
Ussaabb
U
iilliittyy &
& PPrr
iivvaaccyy
SSooffttw
waarree
SSeeccuu
rriittyy
N
Neettw
woorrkk
SSeeccuu
rriittyy
TTrruusstt
eedd CCoo
m
mppuu
ttiinngg
TThhrree
aatt AAnn
aallyyssii
ss
Thank You
dbrumley@cmu.edu
http://www.ece.cmu.edu/~dbrumley
SCADA
Home Area Network
Advanced Metering Infrastructure
Distributed Control Systems
Physical Plants
23
Download