22-08-2013, 03:38 PM
Energy Theft in the Advanced Metering Infrastructure
Energy Theft in the Advanced .pdf (Size: 407.21 KB / Downloads: 39)
Abstract
Global energy generation and delivery systems are transi-
tioning to a new computerized “smart grid”. One of the principle com-
ponents of the smart grid is an advanced metering infrastructure (AMI).
AMI replaces the analog meters with computerized systems that report
usage over digital communication interfaces, e.g., phone lines. However,
with this infrastructure comes new risk. In this paper, we consider ad-
versary means of defrauding the electrical grid by manipulating AMI
systems. We document the methods adversaries will use to attempt to
manipulate energy usage data, and validate the viability of these attacks
by performing penetration testing on commodity devices. Through these
activities, we demonstrate that not only is theft still possible in AMI sys-
tems, but that current AMI devices introduce a myriad of new vectors
for achieving it.
Introduction
The smart grid being globally deployed today will forever change the way energy
is used. This new infrastructure offers more efficient, lower cost, and more en-
vironmentally sound energy management than its antiquated predecessor. The
advanced metering infrastructure (AMI) is a crucial piece of this new smart grid
infrastructure. AMI provides a computer-based sensor system that extends from
the homes and buildings that use power to the utilities that manage it. From
a technology standpoint, AMI provides the necessary communication and con-
trol functions needed to implement critical energy management services such as
fine grained pricing schemes, automatic meter reading, demand response, and
power quality management. The smart grid has been widely deployed in Europe
and Asia, with other parts of the world seeing more gradual but accelerating
adoption.
AMI Background
The advanced metering infrastructure (AMI) is the sensor network of the smart
grid. It provides the information about energy usage (demand) to utilities, con-
sumers and the grid itself. This enables all parties to make better decisions about
reducing costs and strain on the grid during times of peak demand. The necessary
information about demand is coupled along with the energy distribution itself.
This information is measured and aggregated by smart meters, digital electric
meters that contain commodity CPUs, storage, and communication interfaces.
These two components–smart meters and communication networks–form the in-
frastructure needed to provide AMI services. Broadly speaking, smart meters
perform four basic functions with respect to power management; a) the mon-
itoring and recording of demand, b) the logging of power relevant events, e.g.,
outages, c) the delivery of usage and logging information to the upstream utili-
ties, and d) delivering and receiving of control messages, e.g., controlling smart
appliances, remote disconnect, etc.
Energy Theft
In this section, we use the security modeling technique of attack trees [14] to
understand strategies for energy theft in AMI. Attack trees recursively break
down an adversary goal into subgoals until a number of possible attack strategies
are reached. The root node specifies the single goal of all attacks in the tree, in
our case, this goal is demand forgery. Below the root node is a set of sub goal
nodes that describe different approaches towards the root goal. The leaf nodes,
which have no descendants, represent the specific attacks that must take place
for the goal to be achieved. Paths to the root goal are augmented with the logical
operators AND and OR which determine whether one or all of the children in a
given internal node need be completed in order to achieve the goal.
Energy Theft Attack Tree
We present an attack tree for energy theft in Figure 2. As shown, the single
requirement for energy theft is the manipulation of the demand data. There are
three ways to tamper with demand data; a) while it is recorded (via electrome-
chanical tampering), b) while it is at rest in the meter, and c) as it is in flight
across the network. We discuss each of these ways in detail.
The first class of attacks, which aim to prevent the meter from accurately
measuring demand, are the only class that previously existed for analog meters.
The other two classes are exclusive to AMR and AMI. AMI does increase the
difficulty of executing this class of attacks by logging sensor data that determines
when power is cut to the meter, or if reverse energy flow occurs.
System Under Study
In this section, we describe the environment and tools used for our preliminary
smart meter security analysis. This analysis included reverse engineering and at-
tacking meter communication protocols and details about the capabilities of the
meters themselves. We describe the functionality and aspects of the implemen-
tation that are relevant to the results of the security analysis without respect to
any specific vendor or equipment.2
The full experimental testbed is shown in Figure 3. It provides the full range
of functionality needed to evaluate the security of the meters and communica-
tions within a typical AMI configuration. The local network, a wireless mesh
operating in the 900 MHz band, is the only interface not yet evaluated in our
study.
Understanding Vulnerabilities
Up to this point, we have modeled attacks leading to energy theft and shown
vulnerabilities and proof of concept attacks in an AMI system. The goal now is
to understand the design assumptions behind the vulnerabilities. The grouping
of attacks by these assumptions is shown in Table 1. We explain the impact of
each of these assumptions on attacks on AMI and show that they create three
properties that increase the ease and monetization of energy theft. These are,
amplification of efforts, division of labor, and an extended attack surface.
Conclusion
We posit that the basic requirements of AMI are in conflict with security. While
some poor engineering choices are sure to exacerbate some of these issues, there
are fundamental reasons why a fully digitized metering system is inherently more
dangerous that its analog predecessor. Several of these reasons include:
Amplification of effort: In many cases, compromising a single meter is
sufficient for stealing power with many more. Attacks that capture a pass-
word once and use it many times or the penetration of a head end meter to
modify all usage in an area are exemplary.