EV CHARGING: MAPPING OUT THE CYBER SECURITY THREATS AND SOLUTIONS FOR GRIDS AND CHARGING INFRASTRUCTURE

Similar documents
Web Application Penetration Testing

CASP CompTIA Advanced Security Practitioner Study Guide: (Exam CAS-001)

Man in the middle. Bởi: Hung Tran

Strategic Infrastructure Security

Bank Infrastructure - Video - 1

Solutions Business Manager Web Application Security Assessment

jk0-022 Exam Questions Demo CompTIA Exam Questions jk0-022

Web Security, Summer Term 2012

Web Security, Summer Term 2012

Evaluating the Security Risks of Static vs. Dynamic Websites

Understanding Cisco Cybersecurity Fundamentals

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

Russian Cyber Attack Warning and Impact on AccessEnforcer UTM Firewall

Cyber Security Audit & Roadmap Business Process and

Smart Attacks require Smart Defence Moving Target Defence

Cyber security tips and self-assessment for business

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Endpoint Security - what-if analysis 1

Penetration Testing with Kali Linux

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Proving who you are. Passwords and TLS

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

Transport Level Security

ISC2 EXAM - SSCP. Systems Security Certified Practitioner. Buy Full Product.

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

10 FOCUS AREAS FOR BREACH PREVENTION

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2

Recommendations for Device Provisioning Security

The modern car has 100 million lines of code and over half of new vehicles will be connected by 2020.

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Remote Desktop Security for the SMB

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

Securing Apache Tomcat. AppSec DC November The OWASP Foundation


Web Security, Summer Term 2012

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

Secure coding practices

COMP9321 Web Application Engineering

CSWAE Certified Secure Web Application Engineer

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

Security analysis and assessment of threats in European signalling systems?

Testing login process security of websites. Benjamin Krumnow

Security Specification

Chapter 5: Vulnerability Analysis

Certified Secure Web Application Engineer

Syllabus: The syllabus is broadly structured as follows:

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Question: 1 DES - Data Encryption standard has a 128 bit key and is very difficult to break.

Host Website from Home Anonymously

The poor state of SIP endpoint security

Frequently Asked Questions WPA2 Vulnerability (KRACK)

ALL ROADS LEAD TO DOMAIN ADMIN BREACH TO CDE A SECTOR CONFERENCE PRESENTATION OCTOBER 2016

Sentry Power Manager (SPM) Software Security

RBS OpenEMR Multisite Setup Improper Access Restriction Remote Code Execution of 5

Combating Common Web App Authentication Threats

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

CHCSS. Certified Hands-on Cyber Security Specialist (510)

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Objectives. Classes of threats to networks. Network Security. Common types of network attack. Mitigation techniques to protect against threats

PrecisionAccess Trusted Access Control

MigrationWiz Security Overview

EXAM - CAS-002. CompTIA Advanced Security Practitioner (CASP) Exam. Buy Full Product.

HP 2012 Cyber Security Risk Report Overview

Penetration testing.

Logging into the Firepower System


Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Implementing Cisco Cybersecurity Operations

Article Summary of: Understanding Cloud Computing Vulnerabilities. Michael R. Eldridge

CompTIA E2C Security+ (2008 Edition) Exam Exam.

1 About Web Security. What is application security? So what can happen? see [?]

IoT Vulnerabilities. By Troy Mattessich, Raymond Fradella, and Arsh Tavi. Contribution Distribution

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Case Studies, Lessons Learned. Ing. Tijl Deneut Lecturer Applied Computer Sciences Howest Researcher XiaK, Ghent University

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Security report Usuario de Test

Linux Network Administration

Vulnerability Signature Update

SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

emarketeer Information Security Policy

ICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder

Copyright

Tenable.io for Thycotic

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

IEEE Sec Dev Conference

Question No: 2 Which identifier is used to describe the application or process that submitted a log message?

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

Distributed Internet-Based Load Altering Attacks Against Smart Power Grids Authors: A.-H. Mohsenian-Rad and A. Leon-Garcia

Becoming the Adversary

Cyber Security. Our part of the journey

Transcription:

EV CHARGING: MAPPING OUT THE CYBER SECURITY THREATS AND SOLUTIONS FOR GRIDS AND CHARGING INFRASTRUCTURE UtiliNet Europe Cyber Security Workshop Brussels, Belgium Dr. Christian Hille Dr. Manuel Allhoff P3 group 17 th May 2018

P3 GROUP PROFILE With more than 3,800 engineers & consultants, we support customers all over the world OVERVIEW P3 was founded in 1996 as a spin-off of the Fraunhofer Institute for Production Technology (OPT) at the RWTH Aachen. >3,800 ENGINEERS AND CONSULTANTS ACROSS THE GLOBE P3 is a privately owned company with more than 3,800 consultants and experts in about 36 locations. 180 of them are working in the field of eclectic mobility and further 70 employees in the flied of security. The majority of employees have a technical or scientific background. In 2017 the annual turnover of P3 was more than 360 million euros. The operational activity is done by sector specific subsidiaries. BUSINESS AREAS ENERGY COMMUNICATION AUTOMOTIVE AVIATION 15th March 2018

Amount of charging points [#] 15th March 2018 MOTIVATION The market launch of electric mobility and the development of charging infrastructure come along with critical risks Charging infrastructure is important In the future the meaning and amount of public charging points will strongly increase 36.000 36.000 27.000 18.000 9.000 0 Implications 5,800 7,400 2015 Public charging points 150 290 7,000 2016 2020 (forecast) Therefrom: fast charging points Capacity/energy demand in charging infrastructure Share of E-Mobility of the total mobility Frequency Charging infrastructure is vulnerable In general charging points are unmanned and partially located in remote areas Often physical protection can t be guaranteed Connection to backend in which sensible customer data is saved and processed More and more frequently charging points are used with the help of intelligent charging concepts Charging station infrastructure (CIS) is open for to potential attacks Charging infrastructure is critical Thresholds for critical infrastructure e.g. in Germany is: Threshold value for critical infrastructure: 500,000 persons Threshold value of energy supply: 420 MW In the future, 420 fast charging parks with 1 MW each (e.g. bundled in one system) can be assessed as critical infrastructure Attacks of charging infrastructure has a direct impact on energy supply and traffic infrastructure

Likelihood SECURITY OF CHARGING INFRASTRUCTURE Approach for a security analysis of charging infrastructure 1 IDENTIFICATION OF POTENTIAL ATTACK VECTORS 2 APPROACH FOR THE SECURITY 3 ANALYSIS IMPLEMENTATION OF A SECRURITY ANALYSIS FOR HTTP-SERVICES (EXAMPLE) 1. Physical aspects regarding the charging station Hardware, e.g.: Breaking of the case 2. Information technology aspects (TCP/IP) regarding the charging station HTTP Source Shell (SSH) Other services incl. mobile network 3. Information technology aspects (TCP/IP) regarding the backend system HTTP Other services 1. Preparation / Reconnaissance 2. Information procurement (especially via further interfaces, e.g. USB, RFID, ) 3. Valuation of information 4. Execution of attacks 5. Analysis and report Risk Level No impact Minor Major Very Severe High 0 5 3 1 Medium 1 7 2 0 Low 2 2 4 4 Very Low 4 6 3 8 1. Authentication e.g.: lists of passwords 2. Authorization e.g.: Privilege escalation 3. Session testing e.g.: Session stealing 4. Input validation e.g.: SQL Injection 5. Encryption validation 6. Client side testing e.g.: Cross Site Scripting, Java Script Execution, etc. * OCC-Protokoll-Tests sind ebenfalls möglich

SECURITY OF CHARGING INFRASTRUCTURE Identification of potential attack vectors Electric Vehicle (EV) User Mobility Provider OEM (Hard- /Software) LEGEND Attack-Vector Contract Data Data exchange Temporary Data exchange Metering Electricity Charging Station Chargepoint Operator (CPO) Distribution System Operator (DSO) Other Customers

TEST-ENVIRONMENT Setting of the Test-Environment Communication and Authentication Module Network 1: mobile network Network 2: 10.0.0.23 Internet Backend Network 1 Network 2 10.0.0.0 Network 1 Testclient Network 1: P3 WLAN network Network 2: 10.0.0.100

ATTACK VECTORS Attack vector: paths to breach the charging infrastructure Attack Vector Internet Electric Vehicle Charging Station Backend Attack Vector

ATTACK VECTORS Attack vector: paths to breach the charging infrastructure Attack Vector Internet Electric Vehicle Charging Station Backend Attack Vector discussed today

ATTACK VECTORS Attack vector: paths to breach the charging infrastructure Attack Vector Internet Electric Vehicle Charging Station Backend Attack Vector discussed today

RESULTS Reconnaissance reveals services that can be attacked Available Services SSH (open 22/tcp) HTTP (open 80/tcp) HTTPS (open 443/tcp) SOAP (open 9080/tcp) Determining operating system: LINUX 2.6.32 or 3.10 Same services are available for the mobile network interface Hence, services can be attacked even without physical access via the mobile network interface

RESULTS (PORT 22 - SSH) Example: SSH uses a weak key-exchange algorithm and is vulnerable to brute force SSH Access SSH service used for maintenance (e.g. updates) Use of weak key-exchange algorithm, that is, Diffie-Hellman-Group1-SHA1 Diffie-Hellman algorithm gives (theoretical) possibility to derive key for encryption from data traffic Brute force attack (systematically evaluation of all possible credentials, via tools Hydra and Medusa) No protection against brute force which is efficient to perform With known password schema: 10000 possible combinations Brute force can be performed in parallel (e.g. 12 processes): approx. 8 minutes for 10000 user, password combinations

RESULTS (PORT 80/443 - WEB SERVICE) Example: Encryption with self signed certificate and processing of login data Web Service Web Service used for setting up Charging Station Port 80 gets redirects to Port 443 (self signed certificate via SHA-1) Login process of the web site via a non encrypted channel Password gets locally hashed via MD5 (unsecure hashing algorithm) A hashed password is only another representation for the password Reconstruction of password with Man-in-the-Middle (MitM) is possible Better: secure communication of the password which is hashed on the server (not on client) user credentials processes by Javascript, which leads to file /opt/tm/etc/lighttpd/ssl/webconftool/.passwd, which contains credentials for web site log in

RESULTS (PORT 80/443 - WEB SERVICE) Example: Login without knowledge of the user credential is possible Web Service Login Procedure Session Storage cookie, indicating that user is logged in, is added locally by the browser Cookie is a text file locally saved on the computer (text is always changeable) Local implies that users can modify the entry Login procedure only evaluates whether entry is available, not if it is valid Therefore, successful login possible as follows: 1. Attacker generates Session Storage cookie 2. Attacker adds entry with key username without value 3. Attacks calls success function via the web browser (no real check) All users have same rights in the system

ATTACK VECTORS Attack vector: paths to breach the charging infrastructure Attack Vector Internet Electric Vehicle Charging Station Backend Attack Vector discussed today

RESULTS Reconnaissance reveals services that can be attacked Available Services Service Port Brute Force possible? FTP 21 HTTP 80 HTTPS 443 NA OpenVPN 1194 NA SSH 2401 MySQL 3306 Determining the operating system was not possible most likely due to the used firewall. However, a good assumption is available.

RESULTS Example: Evaluation of a brute force approach to breach the system Experiment Experiment, to evaluate the running time for brute force attacks on various services. (no real attack, just a check for possibility) Identical list of 10,000 user and password combinations A single threaded brute force attack needs about 13 minutes on the Apache Tomcat server, about 10 minutes on the MySQL services, and about 27 minutes on the SSH services. Therefore, for an attacker, it is only a matter of resources to breach the system s services.

RESULTS (PORT 21- FTP) Example: Brute force towards FTP and evaluating an available exploit FTP Brute force attack on the password is not possible, due to cancellation after a few tries by the FTP software Common Vulnerabilities and Exposures (CVE) from US Department of Homeland Security: Database for public known IT vulnerabilities operated by the US department of homeland security CVE-2015-3306 (10,0 Score) for ProFTPD 1.3.5 (and older version) found, but exploit was not successful

RESULTS (PORT 80 WEB SERVICE) Example: No encryption is used for the data transmission Web Service Web Service used for maintaining and monitoring the Charging Station infrastructure It contains customer data, therefore it deserves protection Unencrypted data transmission Server generates cookies for each user Username equals LOGIN Password is hashed by MD5 and equals PWD Thereby, login becomes possible by Reading credentials from data traffic, or Stealing proper cookies.

RESULTS (PORT 80 WEB SERVICE) Example: SQL Injection by SQLmap is possible Web Service Login page (index.php) and further websites running in the background are vulnerable to SQL injections SQL injection: request to database which takes advantage of security vulnerabilities to cause unexpected behavior Thereby: reading of databases, which contain e.g. customer information, becomes possible However: writing to databases is not possible (no INSERT/UPDATE SQL statement within a SELECT SQL statement)

SUMMARY Various attack vectors have been evaluated and vulnerabilities with serious impacts have been revealed Summary Charging station infrastructure becomes more and more important in the nearer future. In this talk, three possible attack vectors to the charging station infrastructure have been evaluated. (more vectors possible) Vulnerabilities (Brute force, CVEs, SQL Injection, unencrypted communication channels, ) for all services were identified. IT security principles should be considered from the beginning of the system s development to reduce the likelihood and the impact of a system s breach!

Dr. Christian Hille Managing Director Christian.Hille@p3-group.com +49 (0)151 27654612 THANKS FOR YOUR ATTENTION!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback