Non-Technical Loss Fraud in Advanced Metering Infrastructure in Smart Grid

Transcription

1 Non-Technical Loss Fraud in Advanced Metering Infrastructure in Smart Grid Wenlin Han 1 and Yang Xiao 1 Department of Computer Science The University of Alabama whan2@crimson.ua.edu, yangxiao@ieee.org Abstract. Smart Grid employs Advanced Metering Infrastructure (AMI) to automatically manage metering and billing processes supporting various advanced features. Electricity theft is not limited to the traditional methods, such as bypassing power lines. In Smart Grid, adversaries could gain illegal benefit from the utility via various new ways, and we call this class of behavior as Non-Technical Loss (NTL) fraud. In this paper, we study various security issues in AMI and figure out which issues could be utilized by NTL fraud. We analyze various attacks in AMI and generalize attack tree of NTL fraud. We propose countermeasures for security issues to prevent NTL frauds. Keywords: Smart Grid security, Smart meter, Non-Technical Loss fraud, AMI. 1 Introduction Advanced Metering Infrastructure (AMI) is employed by Smart Grid to manage the metering and billing processes automatically [8,19,20]. Adversaries could utilize the two-way communication to gain illegal benefit. It causes economic loss to the utility, and the loss is not due to technical loss, such as electricity loss in transmission and distribution processes. We call this kind of loss as non-technical loss (NTL). This kind behavior is a fraud to the utility, and we call it NTL fraud. According to a recent study, the utility in the U.S. lost six billion dollars per year because of NTL frauds [9]. In emerging market countries, such as China, economic loss due to NTL frauds is also huge. A recent report says that the top 50 emerging market countries lose 58.7 billion dollars each year [9]. In Smart Grid, not only the customers can steal electricity, the outside adversaries could steal electricity as well. They can control smart meters remotely to gain illegal benefit. At the same time, the traditional methods such as bypassing and slowing down meters are still applied to smart meters. Intrusion Detection Systems (IDS) [10] are employed to secure Smart Grid, among which SCADA [4] and AMIDS [12] are popular applications. Many detection schemes have been proposed [5, 7, 9, 17, 18]. They either aim at addressing general security issues in Smart Grid or propose detection schemes to detect

2 2 Wenlin Han and Yang Xiao NTL frauds. However, none of them analyze NTL fraud itself and how various attacks relate to an NTL fraud. In this paper, we study various security issues in AMI and how they relate to NTL frauds. We generalize an attack tree for NTL frauds which describes how various attacks collaborate to commit NTL frauds. We propose countermeasures for these security issues to prevent NTL frauds. The main contributions of this paper include: We analyze how various security issues relate to NTL fraud. We generalize an attack tree for NTL fraud. We propose countermeasures to prevent NTL fraud. The rest of the paper is organized as follows: In Section 2, we introduce the framework of AMI. In Section 3, we introduce NTL frauds and the attack tree in details. We introduce security issues and propose countermeasures in Section 4. We conclude the paper in Section 5. 2 AMI Overview AMI is an automatic pricing, metering and billing infrastructure in Smart Grid which integrates with current state-of-the-art electronic hardware devices and software systems. Smart Meter Home Area Network... Neighborhood Area Network Smart Meter Collector Home Area Network... Wide Area Network Head-end System Smart Meter Home Area Network... Neighborhood Area Network Smart Meter Collector Home Area Network Fig. 1. The conceptual communication framework of AMI.

3 Non-Technical Loss Fraud 3 As shown in Fig. 1, a Home Area Network (HAN) forms when home appliances and smart meters in a household join the AMI. In a community, a collector in installed to gather local information, thus forming a Neighbourhood Area Network (NAN) [19, 20]. When several HANs are connected and report to the head-end systems, it is a Wide Area Network (WAN). In the U.S., the utility employs ANSI C12 serials as the communication protocol for AMI, including ANSI C12.18, 19, 21 and 22 [6]. 3 NTL Fraud In the traditional power grid, adversaries are limited to the customers of the utility. And, the forms of NTL fraud are limited to interrupting measurement physically. In Smart Grid, outside attackers could control smart meters remotely. The comparison between NTL fraud in the traditional power grid and Smart Grid is shown in Table 1. Table 1. Comparison between NTL Fraud in the Traditional Power Grid and Smart Grid Adversary Method the traditional power grid inside customers interrupt measurement interrupt measurement inside customers Smart Grid tamper meter outside attackers intrude network We studied various security issues, vulnerabilities, threats and attacks in AMI and generalized an attack tree for NTL fraud, shown in Fig. 2. There are three general ways to commit an NTL fraud including interrupt measurement, tamper meter and intrude network. 4 NTL Related Security Issues and Countermeasures After further analyzing on various security issues in Smart Grid, we identify some issues that could cause an NTL fraud, and we propose related countermeasures to deal with these issues. 4.1 Firmware rewrite A smart meter has firmware installed in its micro-controller. The firmware is the operating software to control the meter s operations, such as metrology and communication. If an adversary has the ability to modify or rewrite the firmware, (s)he can get full control of the meter. Meter vendors often use foil seal, lockable micro-controller, and other tamper detection mechanisms to prevent smart meters from case opening, hardware

4 4 Wenlin Han and Yang Xiao NTL fraud OR OR Tamper meter Network intrusion OR OR AND OR Interrupt measurement OR Key spoofing Firmware rewrite Impersonation attack Password cracking Intercept communication Data injection Key spoofing Attach magnet Bypassing Side channel attack Brute-force attack MIM attack Message manipulation Key escrow Fig. 2. The attack tree of NTL fraud showing how various attacks related to NTL fraud. AND means that the attacks on the left subtree are the prerequisite a NTL fraud. OR means that the attacks on either the left or the right subtree should occur to commit a NTL fraud.

5 Non-Technical Loss Fraud 5 probing and firmware reading. However, an adversary can sacrifice many devices to learn about the protection mechanisms. To prevent firmware manipulation, consistency checking of meter readings and sending heart beat signals are often employed [16]. However, a skilled adversary with inside knowledge can still reprogram the firmware. The purpose of firmware rewrite is far beyond an NTL fraud, and usually committed by organized crime to sell meter hacking kit for profit. But, from a customer s point of view, stealing electricity without being detected might be the main concern. To prevent firmware rewrite, the whole image of the firmware should be encrypted to ensure confidentiality. And, all new firmware should be validated, authenticated and checked for integrity upon installation. Here, we propose installing a tamper-resistant chip for each smart meter, which is a micro-controller responsible for keeping the meter secure. A RSA key pair is burned into each chip during manufacture process. The private key is used to generate symmetric session keys and never leaves the chip. Any change to the meter s firmware must be authenticated before committed. The public key pair is used to authenticate firmware update. The key size of RSA could be 2048 bits, since RSA claims that 2048-bit keys are uncrackable until Symmetric session keys are used to exchange messages in AMI, since AMI protocols recommend symmetric cryptography, such as ANSI C12.21 that uses DES. Traditionally, we talk more about how to develop security-focused software. However, the development cycle of firmware should be security-focused as well. The design vulnerabilities of firmware could be utilized by an adversary. The adversary may not be able to reprogram the whole firmware, but at least (s)he can inject code into the firmware. If the injected code is to manipulate billing time information of the meter, it is an NTL fraud. Buffer overflow might be the most commonly used vulnerability for code injection. Common methods to prevent buffer overflow in software design include: canary and non-executable (NX) bit. A canary is a random value placed between local variables and return address to alert the modification of the return address. However, smart meters have limited physical address space, so canaries are practically guessable or cannot resist continuous probing. NX bit is to prevent a program segment from being executed. But, it is not supported by smart meter memory management. McLaughlin et al. [13] propose firmware diversity to solve buffer overflow problem, which encrypt the return address with three different keys before it is written to the stack. After further analysis, we find that the computational overhead is very large which may affect the performance of the meter. We propose encrypting the return address only once. With the support of tamper-resistant chip, we believe encrypting the return address once is enough. 4.2 Impersonation attack In Smart Grid, a customer may replace a legitimate meter with a fake one. A crime organization may steal firmware to clone meters and sell them for profit. A customer with inside knowledge may use a computer and special software to

6 6 Wenlin Han and Yang Xiao emulate a smart meter. If an adversary impersonates a smart meter and sends billing messages with manipulated time information, it is an NTL fraud. Different from firmware rewrite that manipulates meters directly, impersonation attack does not affect the originality of meters. Therefore, the tamperresistant chip cannot detect it. You may think about using the RSA key of the chip to authenticate communication each time, so that an adversary cannot impersonate a legitimate smart meter without this key. However, Public Key Infrastructure (PKI) does not fit in Smart Grid AMI. It needs support technicians to maintain the CA servers, to address various problems and to develop related documents. As reported, the ratio of support staff to certificate is 1:1000 [11]. Currently, the number of smart meters installed by utilities in the U.S. varies from 0 to 5 million, and the number keeps increasing [2]. Thus, if a utility installs 5 million smart meters with 5 million certificates, 500 support staffs will be needed to maintain normal operations. Therefore, we propose employing public keys without the need of certificates. 4.3 Password cracking Password cracking is where password is extracted by an adversary for a malicious purpose. In AMI, special table structures are defined in ANSI C12.19 to convey information exchanged within the networks of AMI. Passwords are bound to different roles to access these tables, which is defined by the access control policy. Passwords are stored in smart meters and they can even been transferred via messages. If an adversary obtained the passwords of these tables, (s)he could peak into the tables or even change the values of table items. We summarize tables that could be used for NTL frauds and list them in Table 2. Tables 40 to 45 are security related tables. They define various security limits such as the minimum lengths of passwords and keys. They convey security information such as password, keys and access control. Password spoofing on these tables does not directly lead to NTL frauds, but it may provide crucial information for adversaries to penetrate defense systems. Tables 50 to 55 are time related tables. They convey information of time, clock and TOU, which are used for timestamping, pricing, billing and payment in AMI. If the passwords of these tables are spoofed, it could directly lead to NTL frauds. For example, if an adversary spoofs the password of the clock table, (s)he can increase or decrease the value of local clock, thus drags a peak time billing to a non-peak time billing [6]. The minimum password length required in ANSI C12.19 is 20 bytes and they are randomly generated. Thus, for now, the password strength is fine, and it is not easy to crack the passwords by brute-force attacks on smart meters. However, ANSI C12.18 and ANSI C12.20 allow sending clear text passwords [1], therefore, it is easy to hijack passwords in communication networks. As a countermeasure, the first thing is to band sending passwords in clear text.

7 Non-Technical Loss Fraud 7 Table 2. Security and Time Related Tables in ANSI C12.19 and Password Cracking Consequences Category Security tables Time and Time-of-use (TOU) tables Table ID 40 Table Name Security Dimension Limits Table Description various security limits, such as password length limit and key length limit actually applied security limits Password Cracking Consequence expose security strength Actual Security exposes security 41 Limiting Table strength exposes real 42 Security Table stores passwords values of passwords access privileges of exposes the Default Access 43 roles on tables bonds between Control Table by default tables and passwords exposes the access privileges 44 Access Control Table bonds between of roles on tables tables and passwords exposes 45 Key Table stores encryption keys encryption keys Time and various time exposes timing 50 Time-of-use (TOU) and TOU limits, information Dimension Limits Table such as clock precision 51 Actual Time and Time-of-use (TOU) Limiting Table 52 Clock Table 53 Time Offset Table 54 Calendar Table 55 Clock State Table actually applied time and TOU limits stores local clock value time offset between local time and global time year, month, date, daylight saving, etc. states of local clock exposes timing information changes this value could directly lead to NTL frauds changes this value could directly lead to NTL frauds changes this value could directly lead to NTL frauds exposes local clock status

8 8 Wenlin Han and Yang Xiao 4.4 Key spoofing Key spoofing is where an adversary extracts encryption keys to decrypt messages or harass authentication processes. There are two general ways to spoof keys. The first way is to extract keys from smart meters, which relies on various side channel attacks, such as side channel timing attack, cold boot attack and DMA attack. A tamper-resistant chip should be installed in each smart meter, and sensitive information, such as passwords and keys should be secured by hardware-level encryption. The second way is to extract keys in communication networks. AMI networks employ symmetric key encryption and authentication, among which ANSI C12.21 employs DES of random token and ANSI C12.22 employs AES-EAX with a key length of 128 bits [15]. It is well-known that DES is not secure. AES-EAX is a choice for authentication on resource-constrained devices, but its security lacks of formal proofs for a long time. Minematsu et al. publish a formal secuirty analysis on AES-EAX in the paper [14], which proves the security of AES-EAX against a few attacks, such as chosen-message forgeries, chosen-ciphertext attack, chosen-plaintext attack, etc. However, they also prove that AES-EAX is not secure when the cleartexts are shorter than one block. Moreover, the security of EAX is built on AES 128 bits. If AES 128 bits is not secure, EAX is not secure as well. Beside security strength, another problem of symmetric keys in AMI is key management. We believe that Certificateless Public Key Cryptosystem (CL- PKC) is a good choice for AMI in Smart Grid. The concept of CL-PKC [3] was proposed by Al-Riyami in Similar to Identity-base cryptosystem, CL-PKC also needs a key generation center. However the key generation center does not have full control of the private keys. Instead, it generates partial private keys and distribute to users. The users choose secret values of their own, and combine with the partial private keys to generate their full private and public key pairs. CL-PKC does not need to maintain certificates and it does not suffer from key escrow. CL-PKC has low communication and storage cost, thus, it is suitable for resource-constrained devices. 4.5 Man-in-the-middle attack Man-in-the-middle (MIM) attack in AMI is where an adversary intrudes the communication between two smart meters, or between a smart meter and the head end to make them believe they are communicating directly. MIM has no direct relationship with NTL frauds. However, MIM is a typical attack to eavesdrop sensitive information, such as passwords and keys in the networks. Thus, it often occurs with NTL frauds. As shown in Fig. 2, an adversary has to intercept communication before (s)he injects data, extracts keys or attacks time synchronization. MIM attack is one of the most typical attacks to intercept communication. Thus, to resist MIM attack, we need to build a reliable authentication mechanism. And it is the same as to protect keys.

9 Non-Technical Loss Fraud Message manipulation attack Message manipulation attack in AMI is where an adversary alters the messages sent between two smart meters or between a smart meter and the head end. If the adversary alters the time related information of the billing messages, it could result in NTL frauds. For example, the adversary could alter the billing time at application layer to move it a few seconds earlier or a few seconds later, and both of the behaviors may drag the billing from a peak-time billing to a non-peak-time billing. As a countermeasure, we should compare the timestamps of the application layer and the mac layer to verify the billing time. Moreover, we should not discard the packets with obsolete timestamps directly as many existing systems do. It could result in NTL frauds. We should build up an efficient message authentication mechanism. 5 Conclusion In this paper, we studied NTL fraud in AMI in Smart Grid. We analyzed various security issues, vulnerabilities, threats and attacks in AMI. We eliminate unrelated attacks and generalized an attack tree for NTL fraud. We further studied each attack in the attack tree and proposed countermeasures. As a future work, we will refine the design of the proposed tamper-resistant chip for smart meters and key management in AMI. Acknowledgement This work was supported in part by the National Nature Science Foundation of China under the Grant , and the National Science Foundation (NSF) under Grant CNS References 1. Smartgrid/aeic ami interoperability standard guidelines for ansi c12.19 / ieee 1377 / mc12.19 end device communications and supporting enterprise devices, networks and related accessories. available at: (2013) 2. Utility-scale smart meter deployments: Building block of the evolving power grid. available at: SmartMeterUpdate 0914.pdf (2014 (accessed January 7, 2016)) 3. Al-Riyami, S.S., Paterson, K.G.: Certificateless public key cryptography. In: Proceedings of the 9th International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT 03). pp (Dec 2003) 4. Gao, J., Liu, J., Rajan, B., Nori, R., Fu, B., Xiao, Y., Liang, W., Chen, C.L.P.: Scada communication and security issues. Security and Communication Networks Security Comm 7(1), (2014)

10 10 Wenlin Han and Yang Xiao 5. Han, W., Xiao, Y.: CNFD: A novel scheme to detect colluded non-technical loss fraud in smart grid. The 11th International Conference on Wireless Algorithms, Systems, and Applications (WASA 2016), accepted (2016) 6. Han, W., Xiao, Y.: Combating TNTL: Non-technical loss fraud targeting timebased pricing in smart grid. The 2nd International Conference on Cloud Computing and Security (ICCCS 2016), accepted (2016) 7. Han, W., Xiao, Y.: NFD: A practical scheme to detect non-technical loss fraud in smart grid. In: Proceedings of the 2014 International Conference on Communications (ICC 14). pp (June 2014) 8. Han, W., Xiao, Y.: IP 2 DM for V2G networks in smart grid. In: Proceedings of the 2015 International Conference on Communications (ICC 15). pp (June 2015) 9. Han, W., Xiao, Y.: FNFD: A fast scheme to detect and verify non-technical loss fraud in smart grid. International Workshop on Traffic Measurements for Cybersecurity (WTMC 16), accepted, DOI: (2016) 10. Han, W., Xiong, W., Xiao, Y., Ellabidy, M., Vasilakos, A.V., Xiong, N.: A class of non-statistical traffic anomaly detection in complex network systems. In: Proceedings of the 32nd International Conference on Distributed Computing Systems Workshops (ICDCSW 12). pp (June 2012) 11. Khurana, H., M.Hadley, Lu, N., Frincke, D.A.: Smart grid security issues. IEEE Security Privacy 1(8), (Feb 2010) 12. McLaughlin, S., Holbert, B., Zonouz, S., Berthier, R.: AMIDS: A multi-sensor energy theft detection framework for advanced metering infrastructures. In: Proceedings of the 2012 IEEE Third International Conference on Smart Grid Communications (SmartGridComm 12). pp (Nov 2012) 13. McLaughlin, S., Podkuiko, D., Delozier, A., Miadzvezhanka, S., McDaniel, P.: Embedded firmware diversity for smart electric meters. In: Proceedings of the 5th USENIX conference on Hot topics in security (HotSec 10). pp. 1 6 (Aug 2010) 14. Minematsu, K., Lucks, S., Morita, H., Iwata, T.: Attacks and security proofs of eax-prime. In: Proceedings of the 20th International Workshop on Fast Software Encryption. pp (Mar 2013) 15. Moise, A., Beroset, E., Phinney, T., Burns, M.: EAX cipher mode (may 2011). available at: /proposedmodes/eax-prime/eax-prime-spec.pdf (2011) 16. Skopik, F., Ma, Z., Bleier, T., Grneis, H.: A survey on threats and vulnerabilities in smart metering infrastructures. International Journal of Smart Grid and Clean Energy 1(1), (Sept 2012) 17. Xia, X., Liang, W., Xiao, Y., Zheng, M.: BCGI: A fast approach to detect malicious meters in neighborhood area smart grid. In: Proceedings of the 2015 International Conference on Communications (ICC 15). pp (June 2015) 18. Xia, X., Liang, W., Xiao, Y., Zheng, M., Xiao, Z.: Difference-comparison-based approach for malicious meter inspection in neighborhood area smart grids. In: Proceedings of the 2015 International Conference on Communications (ICC 15). pp (June 2015) 19. Xiao, Z., Xiao, Y., Du, D.: Building accountable smart grids in neighborhood area networks. In: Proceedings of the IEEE Global Telecommunications Conference 2011 (GLOBECOM 11). pp. 1 5 (Dec 2011) 20. Xiao, Z., Xiao, Y., Du, D.: Non-repudiation in neighborhood area networks for smart grid. IEEE Communications Magazine 51(1), (Jan 2013)