jaseg/master-thesis
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ma: do intro threat section

Browse source
This commit is contained in:
jaseg 2020-05-28 15:38:04 +02:00
parent a1e6a1115d
commit 1283fa1b75
2 changed files with 97 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

38
ma/safety_reset.bib
View file

@ -895,7 +895,7 @@
@Misc{entsoe03,
author = {{ENTSO-E Working Group Incident Classification Scale Under System Operations Committee}},
date = {2014},
title = {INCIDENTS CLASSIFICATIONSCALEMETHODOLOGY},
title = {Incidents Classification Methodology},
institution = {ENTSO-E},
}
@ -1583,4 +1583,40 @@
year = {2005},
}
@Article{hahn01,
author = {Adam Hahn and Manimaran Govindarasu},
date = {2011},
journaltitle = {IEEE Transactions on Smart Grid},
title = {Cyber Attack Exposure Evaluation Framework for the Smart Grid},
doi = {10.1109/TSG.2011.2163829},
pages = {835-843},
}
@InProceedings{temple01,
author = {William G. Temple and Binbin Chen and Nils Ole Tippenhauer},
booktitle = {2013 IEEE International Conference on Smart Grid Communications},
date = {2013},
title = {Delay Makes a Difference: Smart Grid Resilience Under Remote Meter Disconnect Attack},
doi = {https://doi.org/10.1109/SmartGridComm.2013.6688001},
journaltitle = {2013 IEEE International Conference on Smart Grid Communications},
}
@InProceedings{cleveland01,
author = {Cleveland, Frances M.},
booktitle = {2008 IEEE Power and Energy Society General Meeting-Conversion and Delivery of Electrical Energy in the 21st Century},
date = {2008},
title = {Cyber security issues for advanced metering infrasttructure (AMI)},
organization = {IEEE},
pages = {1--5},
year = {2008},
}
@Online{heise03,
author = {Martin Holland},
editor = {{Heise Online}},
date = {2018-03-19},
title = {Cambridge Analytica: Mehrere Untersuchungen angekündigt, mögliche Billionenstrafe für Facebook},
url = {https://www.heise.de/newsticker/meldung/Cambridge-Analytica-Mehrere-Untersuchungen-angekuendigt-moegliche-Billionenstrafe-fuer-Facebook-3998151.html},
}
@Comment{jabref-meta: databaseType:biblatex;}

91
ma/safety_reset.tex
View file

@ -1,4 +1,5 @@
\documentclass[12pt,a4paper,notitlepage]{report}
\usepackage[ngerman, english]{babel}
\usepackage[utf8]{inputenc}
\usepackage[a4paper,textwidth=17cm, top=2cm, bottom=3.5cm]{geometry}
\usepackage[T1]{fontenc}
@ -74,8 +75,7 @@
}
\begin{document}
% Beispielhafte Nutzung der Vorlage für die Titelseite (bitte anpassen):
\selectlanguage{ngerman}
\input{murks}
\titelen{A Post-Attack Recovery Architecture for Smart Electricity Meters}
\titelde{Eine Architektur zur Kontrollwiederherstellung nach Angriffen auf Smart Metering in Stromnetzen}
@ -85,25 +85,30 @@
\gebdatum{Aus Datenschutzgründen nicht abgedruckt} % Geburtsdatum des Autors
\gebort{Aus Datenschutzgründen nicht abgedruckt} % Geburtsort des Autors
\gutachter{Prof. Dr. Björn Scheuermann}{Prof. Dr.-Ing. Eckhard Grass}
\mitverteidigung % entfernen, falls keine Verteidigung erfolgt %FIXME
\mitverteidigung
\makeTitel
\selbstaendigkeitserklaerung{31.03.2020}
\selbstaendigkeitserklaerung{\today}
\vfill
\selectlanguage{english}
{\center{
\begin{minipage}[t][10cm][b]{\textwidth}
\center{\ccbysa}
\center{\ccbysa}
\center{This work is licensed under a Creative-Commons ``Attribution-ShareAlike 4.0 International'' license. The full
text of the license can be found at:}
\center{This work is licensed under a Creative-Commons ``Attribution-ShareAlike 4.0 International'' license. The
full text of the license can be found at:}
\center{\url{https://creativecommons.org/licenses/by-sa/4.0/}}
\center{\url{https://creativecommons.org/licenses/by-sa/4.0/}}
\center{For alternative licensing options, source files, questions or comments please contact the author at
\texttt{masterarbeit@jaseg.de}}.
\center{For alternative licensing options, source files, questions or comments please contact the author at
\texttt{masterarbeit@jaseg.de}}.
\center{This is version \texttt{\input{version.tex}\unskip}. The git repository can be found at:}
\center{This is version \texttt{\input{version.tex}\unskip} generated on \today. The printed version of this
document will be marked \texttt{-dirty} due to the private personal information on the title page that is not
checked in to git. The git repository can be found at:}
\center{\url{https://git.jaseg.de/master-thesis.git}}
\center{\url{https://git.jaseg.de/master-thesis.git}}
\end{minipage}
}}
\newpage
% Hier folgt die eigentliche Arbeit (bei doppelseitigem Druck auf einem neuen Blatt):
@ -904,7 +909,7 @@ Though there is room for the implementation of genuinely new, application-specif
general state of the art is lacking behind other fields of embedded security. From this background low-hanging fruit
should take priority\cite{heise02}.
Given political will these systems can readily be secured. There is only a comparatively small number of them and
Given political will these systems can readily be fortified. There is only a comparatively small number of them and
having a technician drive to every one of them in turn to install a firmware security update is feasible.
\subsubsection{Control function exploits}
@ -927,9 +932,9 @@ harder.
One rather interesting attack on smart grid systems is one exploiting the grid's endpoint devices such as smart
electricity meters. These meters are deployed on a massive scale, with at least one meter per household on
average\footnote{Some households may have a separate meter for detached properties such as a detached garage or
basement.}. Once compromised, restoration to an uncompromised state can potentially be very difficult if it requires
physical access to thousands of devices hidden inaccessible in private homes.
average\footnote{Households rarely share a meter but some households may have a separate meter for detached properties
such as a detached garage or basement.}. Once compromised, restoration to an uncompromised state can potentially be
very difficult if it requires physical access to thousands of devices hidden inaccessible in private homes.
By compromising smart electricity meters, an attacker can trivially forge the distributed energy measurements these
devices perform. In a best-case scenario, this might only affect billing and lead to customers being under- or
@ -941,9 +946,9 @@ contain high-current load switches to disconnect the entire household or busines
unpaid for a certain period. In countries that use these kinds of systems on a widespread level, the load disconnect
switch is controlled by the smart meter's central microcontroller. This allows anyone compromising this
microcontroller's firmware to actuate the load switch at will. Given control over a large number of network-connected
smart meters, an attacker might thus be able to cause large-scale disruptions of power consumption\cite{anderson01}.
Combined with an attack method such as the resonance attack from \cite{wu01} that was mentioned above, this scenario
poses a serious danger to grid stability.
smart meters, an attacker might thus be able to cause large-scale disruptions of power
consumption\cite{anderson01,temple01}. Combined with an attack method such as the resonance attack from \cite{wu01}
that was mentioned above, this scenario poses a serious danger to grid stability.
In places where Demand-Side Management (DSM) is common this functionality may be abused in a similar way. In DSM the
smart metering system directly controls power to certain devices such as heaters. The utility can remotely control the
@ -955,28 +960,52 @@ This leads to a potentially significant role of DSM systems in the impact calcul
system. DSM does not control as much load capacity as remote disconnect switches do. The attacks cited in the above
paragraph still fundamentally apply.
\subsection{Attacker models in the smart grid}
% FIXME
\subsection{Practical attacks}
% FIXME
\subsection{Practical threats}
% FIXME
\subsection{Conclusion, or why we are doomed}
As a highly integrated system the electrical grid is vulnerable to attacks from several angles. One way to classify
attacks is by their motivation. Along this axis we found the following motives:
\begin{description}
\item[Service disruption.] An attack aimed at disrupting service could e.g.\ aim at causing a blackout. It could
also take aim in a more subtle way targeting a degradation of parameters such as power quality (voltage,
frequency and waveform). It could target a particular customer, geographic area or all parts of the grid.
Possible motivations range from a bored tennage hacker to actual cyberwar\cite{cleveland01,lee01}.
\item[Commercial disruption.] Simple commercial motives already motivate a wide variety of attacks on grid
infrastructure\cite{czechowski01}. Though generally mostly harmless from a cypersecurity point of view there are
instances where these attacks put the lives of both the attacker and bystanders at grave risk\cite{anderson01}.
Such attacks generally aim at the meter itself but a more sophisticated attacker might also target the
utility's backend computer-bureaucracy.
\item[Data extraction.] The smart grid collects large amounts of data on both individual consumers and on an
aggregate level. The privacy risk in individual consumer's data is obvious. On the web
data collection practices from questionable to flat-out illegal have widely proliferated for various purposes up
to manipulation of elections\cite{heise03}. Assuming criminals in this field would eschew fertile ground such as
this due to legal or ethical concerns is optimistic. Taking the risk to individual customer's data out of the
equation even aggregate data is still highly attractive to some. Aggregate real-time electricity usage data is a
potential source on timely information on things such as national social events (through TV set energy
consumption\cite{greveler01}) or just plainly the state of the economy.
\end{description}
A factor to consider in all these cases is that one actor's attacks have the potential to weaken system security
overall. An attacker might add new backdoors to gain persistence or they might disable existing mitigations to enable
further steps of their attack.
In this paper we will largely concentrate on attacks of the first type because they both have the most serious
consequences and the most motivated attackers. Attackers that may want to disrupt service include cyberwar operations of
enemy nation states. This type of attacker is both highly skilled and highly funded.
\subsection{Conclusion or, why we are doomed}
We can conclude that a compromise of a large number of smart electricity meters cannot be ruled out. The complexity of
network-connected smart meter firmware makes it exceedingly unlikely that it is in fact flawless. Large-scale
deployments of these devices under some circumstances such as where they are used with load disconnect relays make them
an attractive target for attackers interested in causing grid instability. The attacker model for these devices very
definitely includes enemy states, who have considerable resources at their disposal.
an attractive target for attackers interested in causing grid instability. The attacker model for these devices includes
nation states, who have considerable resources at their disposal.
For a reasonable guarantee that no large-scale compromises of hard- and software built today will happen over a span of
some decades, we would have to radically simplify its design and limit attack surface. Unfortunately, the complexity of
smart electricity meter implementations mostly stems from the large list of requirements these devices have to conform
with. Additionally, standards have already been written and changes that reduce scope or functionality have become
exceedingly unlikely at this point.
with. Alas, the standards have already been written, political will has been cast into law and changes that reduce scope
or functionality have become exceedingly unlikely at this point.
A general observation with smart grid systems of any kind is that they comprise a departure from the decentralized
control structure of yesterday's dumb grid and the advent of centralization at an enormous scale. This modern,