AMI architectural analysis, threat modelling and penetration test.
Definition of a threat model for AMI risks, in order to identify focus areas and prioritize detailed checks and eventually new countermeasures. Threat scenarios are: physical intrusion, hardware manipulation and firmware / software reversing, network intrusion etc.
The model considers business impact and threat likelihood, i.e. technical complexity, attacker skill level, etc.
3. 3
Central System
RF Point to Point
RF Mesh
Cell Tower
Data Concentrator
Smart Meter
RF Tower
Data Concentrator
Power line
Data Concentrator
Direct Link
Smart Meter
AMI INFRASTRUCTURE
SIMPLIFIED VIEW
4. 4
Smart Meter
Data Concentrator
Central System
• Firmware Manipulation
• Connection Tampering
• Integrity Loss
• Authentication bypass
• Frauds
• MiTM
• Assurance Loss
• Information Leaks (GDPR/privacy)
Threats
Threats
Actors
Impacts
• Fraudsters
• Malicious Insider
• Malicious Customers
• Skilled Attacker
• Malicious Insider
• Malicious Customers
• Skilled Attacker
• Hacktivists
• Malicious Insider
• Hacktivists
• High Profile Attackers
• Rogue Data Concentrator
• Data Concentrator SW Flaws
• Connection Tampering
• Smart Meters compromission
• MiTM
• Authentication bypass
• Targeted Attacks
• Frauds
• Provisioning Loss
• Information Leaks (GDPR/privacy)
• Network Flaws
• Applications Flaws
• Internal Systems Compromission
• Data Loss
• Infrastructure Control Loss
• Provisioning Loss
• Assurance Loss
• Reputation Loss
• Information Leaks (GDPR/privacy)
AMI THREAT MODEL
OVERVIEW
5. 5
Component Threat Explanation Exposure Difficulty
Smart Meter Firmware Manipulation
Attackers can extract firmware from Meter, manipulate it
and/or redeploy firmware in order to :
• Extract authentication data and reuse for an
authentication attack
• Extract crypto keys and reuse them for connection
tampering attack
• Reprogram firmware for billing fraud
• Physical Harm
Physical access
Medium :
Attackers need
deep knowledge of
Meter (more simple
for an insider)
Smart Meter Connection Tampering
Attackers can accomplish MiTM attacks; with this kind of
attacks is possible access to exchanged data between Meter
and collectors and analyze communication protocols in order
to:
• intercept data from Meter to central systems/data
concentrator and change values to spoof the Meter
identity and/or billing data
Remote
High :
Attackers need
deep knowledge of
infrastructure and
crypto used on
data in motion
AMI THREAT MODEL
DRILL DOWN (1/3)
6. 6
Component Threat Explanation Exposure Difficulty
Data Concentrator Rogue Data Concentrator
Attackers can build a fake Data Concentrator, this kind of
attack can be exploited to send down a large number of
Meters (out of grid) and generate :
• Grid instability
• Drop/Spike in demand (provisioning systems
failures)
• Push Manipulated firmware to Meters
Remote
High :
Attackers need
deep knowledge of
infrastructure ad
must be skilled
technology
Data Concentrator Connection Tampering
Data Concentrator usually is in the middle between Meters
and central system, the best place to perform a MiTM attack,
exploiting DC through an application flaw or physically in
order to :
• Disaggregation attacks for profiling customer
energy consumption behavior - Privacy Breach -
• Disruption of grid (DoG)
• Tamper Data for billing frauds
Remote
Medium :
Attackers need
deep knowledge of
Data Concentrator
(more simple for an
insider/developer)
AMI THREAT MODEL
DRILL DOWN (2/3)
7. 7
Component Threat Explanation Exposure Difficulty
Central System Network Flaws
Attackers can obtain access to AMI Central Systems exploiting
various network flaws (VPN leaked credentials,
misconfigurations in network devices, …)
This kind of attack can be focused on :
• Disrupt of grid (DoG)
• Customer data theft
• Billing Frauds
• ….
Local and Remote
High :
Attackers must be
skilled and leverage
on 0days (network
devices) or high
profile attack
vectors
Central System Application Flaws
High skilled attackers can target Central System Applications
with conventional or unconventional attack vector
(spearphishing, account theft, account leaks…) in order to :
• Disrupt of grid (DoG)
• Customer data theft
• Billing Frauds
• ….
Local and Remote
Medium :
Attackers must be
skilled and use high
profile attack
vectors
AMI THREAT MODEL
DRILL DOWN (3/3)
8. 8
Firmware Manipulation – Meter
Connection Tampering – Meter
Rogue Data Concentrator – Data Concentrator
Connection Tampering – Data Concentrator
Network Flaws – Central System
Application Flaws – Central System
Exposure
Difficulty
A
B
C
D
E
F
A
B
C
D
E
F
AMI THREAT MODEL
APPLICABILITY
9. 9
Insider carry out information on
Meter Infrastructure like meter
firmware, radio configuration, on-
board security keys and certificates
Attackers analyze hardware components and attack surface:
- Eye-contact / Datasheet-based analysis of board trying to
identify chip / memory components / IO/UART ports
- Tools for assisted discovery of on-chip debug interfaces
- Bus step-by-step reconstruction, identifying useless and
useful PINs
Billing systems are misled
due to untrusted data
sent by Meters
Identify optical port, useful for
reprogramming firmware without deep
hardware interaction
Try to sell the
“service” to retail and
business customers
Develop a firmware
with a billing
mechanism bypass
logic
CASE STUDY
METER FRAUD
10. 10
Meter hardware analysis
Using appropriate tools in order to disassemble
hardware enclosure and perform inspection of logic
board underlining:
• Chip manufacture, models and packaging (TSOP
,
BGA, TLGA)
• Research of related datasheet
• Identify I/O ports like UART, Optical, JTAG with visual
inspection or tool’s aided inspection (ex: JTAGulator,
Bus-Pirate)
• Identify bus using components datasheet and step-
by-step reconstruction, identifying useless and
useful PINs
• Dumping memory (chip-off or JTAG) and firmware
extraction
• Analysis on going data with logic analyzer
• Shaping possible attack points
Immagine a scopo illustrativo
CASE STUDY
METER FRAUD > DRILL DOWN
11. 11
Attackers analyze Data
Collectors physical deploy
location, exposed services
scanning by connecting to it and
system fingerprinting
Find some design and software
flaws (deployed services and OS) /
misconfigurations / weak
credentials (Telnet, SSH, etc…) /
MiTM (ex: GPRS network via Fake-
BTS)
Exploit weaknesses in
order to take device
control (ex: weak SSH
or Telnet credentials)
Attackers can perform :
MiTM attack and on going
data tampering (ex: on
DLMS-COSEM protocol)
Meters are under control of
attackers that can perform :
• Denial of Grid (DoG)
• Billing Frauds
• Etc …
Privacy of customers is
compromised
New manipulated firmware
is pushed to Meters
After compromission a
disaggregation attacks is
carried on
Customers data are
monitored and
under control of
attackers
Attackers acquire
radio configuration,
security keys and
certificates
contained in
memory or on the
file system
CASE STUDY
DATA CONCENTRATOR MULTI-VECTOR ATTACK
12. 12
Immagine a scopo illustrativo
Data Collector analysis starts from physical analysis:
"where is deployed, accessibility and packaging"
and goes beyond to understand which kind of
technology is deployed :
• Communication analysis (RF, ZigBee, GPRS etc…)
to try a MiTM using specialized hardware like fake-
BTS and SDR radio
• Trying a physical access in order to identify
Ethernet ports, serials etc…
When entry point is found, next step is to analyze
exposed network services and exploitation :
• Port scan, banner grabbing and OS fingerprint
• Default credentials brute-force / exploit known
vulnerabilities on exposed services
• System access and privilege escalation
• Firmware dumping for sensitive data extraction
(certificates, keychains, sensitive executables for
further analysis)
Data Concentrator analysis
CASE STUDY
DATA CONCENTRATOR MULTI-VECTOR ATTACK > DRILL DOWN
13. 13
Spear phishing to gain
access to the business
networks of the energy
company
Theft of credentials
from the business
networks using ad-
hoc malware
The use of virtual
private networks
(VPNs) to enter the
Internal network
Serial-to-ethernet communications
devices impacted at a firmware level
(e.g. ModBus over Ethernet
converters)
Utilizing UPS systems to
impact connected load
with a scheduled
service outage
Telephone denial-
of-service attack
on the call center
The use of existing
remote access tools
within the environment
(VNC, access to remote
Dashboard over HTTP)
or issuing commands
directly from a remote
station similar to an
operator HMI
Access to BSS sytems and
Billing Data theft,
exfiltrated to a remote
C&C (ex: over HTTP or
DNS)
Infrastructure
Break Down
The use of a modified
KillDisk to erase the
master boot record of
impacted
organization systems
Access to OSS
sytems and OT
infrastructure
(SCADA control
systems)
CASE STUDY
CENTRAL SYSTEM MULTI-VECTOR ATTACK
14. 14
Immagine a scopo illustrativo
Central System is a complex system where Business
Support Systems and Operational Support Systems
live together, with no well-defined boundaries and
security problems are inherited from both IT and OT
systems. The first step to analyze CS is
understanding the perimeter:
• External exposure on Internet
• People working in and eventually being targeted
• IT and OT boundaries and network segregation
The second one is understanding security maturity
with:
• Deployed security countermeasure review (SIEM,
Policies, Firewall/IPS rules, Patch management
etc..)
• Perform scans to find exposed services and
known vulnerabilities
• Perform Penetration Tests to uncover undisclosed
vulnerabilities on IT and OT infrastructure
Central System analysis
CASE STUDY
CENTRAL SYSTEM MULTI-VECTOR ATTACK > DRILL DOWN