Professional Documents
Culture Documents
2015 - Modeling Distributed Denial of Service Attack in Advanced Metering Infrastructure
2015 - Modeling Distributed Denial of Service Attack in Advanced Metering Infrastructure
Abstract—Imminent attacks on critical infrastructure can dis- and protocols, e.g., RF jamming, wireless scrambling, eaves-
rupt operations. It also interrupts information availability. One dropping, message modification and injection, whereas the
way through cyberspace is to harness the distributed computing device-based attacks are being manipulated through security
power and flood on targeted systems with massive information
as a consequence of denial in service. This paper discusses flaws of the device terminal to perform malicious activities,
the distributed denial of service (DDoS) attack, a potential such as metering storage tampering, man-in-the-middle at-
cyberthreat in AMI communication network. A typical DDoS tacks, denial-of-service attacks, or unauthorized use of ser-
includes two stages: (1) agents recruitment stage and (2) actual vices. The digital technologies enhance the extensibility and
attack stage. In this paper, various models of malware installation scalability of metering functions. However, it also introduces
and flooding attack on AMI devices are introduced and potential
impacts are studied. Some particular attack scenario is simulated new attack vectors to AMI system. An attacker can insert
using NS3. We also discussed the potential defense technologies. malicious code in memory of a smart meter to tamper data in a
storage [12]. Penetration testing identifies a number of possible
Index Terms—Advanced metering infrastructure, cybersecu- attacks against smart meters including meter spoofing, denial
rity, distributed denial of service attack. of service, and power disconnection [13]. Cyberattack target-
ing on AMI could disable real-time metering functionalities
I. R ECENT AMI D EVELOPMENT and cannot report updated energy usage [14], [15].
IINTERNET protocol (IP)-based advanced metering infras- A broader effort from government, academia, and industry
tructure (AMI) has been widely implemented in the recent has been made to address the cybersecurity issues in smart
years. This is an extension of existing automatic metering grid. A cybersecurity Risk Management Process (RMP) for
reading (AMR) systems with additional control capabilities. smart grids is proposed by the U.S. Department of Energy
In general, the IP-based devices have been promoted for most in cooperation with the National Institute of Standards and
home energy management applications [1]. The difference be- Technology (NIST) and the North American Electric Reliabil-
tween the AMR and AMI is that the AMI enables bidirectional ity Corporation (NERC) [16]. A wide range of cyberthreats
communication between AMI head-end and smart meters such have been explored. [11]–[14].
that the customers can manage their load consumption ac- In this work, we focus on the distributed denial of service
cording to the real-time pricing information. The AMI system (DDoS) attack in AMI network. The DDoS attack is initiated
consists of microprocessor-based energy meters, communica- by attack agents to exploit system vulnerabilities that affects
tion network, and AMI head-end [2]. The head-end is where the availability of network service/devices. The DDoS attack
the meter data management system (MDMS) is deployed that is one of the device-based attacks that targets at interrupting
integrates AMI networks with utility applications. the service availability of AMI. Once initiated, a DDoS
An AMI network features a hierarchical communication attack could cause a significant financial losses to the utility.
relations including home area network (HAN), neighbor area Discovering the potential attack attempt is vital and is also
network (NAN), and wide area network (WAN). The com- crucial to strategically respond to the security signals in order
munication technologies can be adopted in AMI network to avoid unnecessary detection cost. In this work, we explore
which include wireless communication (Zigbee, WLAN, LTE, the problem with the following steps:
etc.), power line carrier (PLC), and optical fiber [3], [4]. A 1) Conceptual model of DDoS attack in AMI network
variety of protocols are developed to meet the communication has been investigated with the methods adopted by
requirements for AMI, including ANSI C12.18/19/21, IEC the attackers to manipulate multiple “smart” meters
61107/62056 and open smart grid protocol (OSGP). The inter- (agents). Various mechanisms of the DDoS attack are
net protocol suite (IPS) provides rich options for building the also explored.
scalable communication infrastructure of AMI [5]. A number 2) We simulate DDoS mechanism scenarios using NS3 to
of existing smart metering protocols can be configured to work study the potential impact on AMI communication.
over the IPS [6]–[8]. 3) Finally, we discussed potential technologies that can be
The drawbacks of implementing AMI system are vulnerabil- applied to defend DDoS attack in AMI network.
ities to potential cyberthreats [3], [9], [10]. The cybersecurity
standards of AMI system include confidentiality, integrity, II. OVERVIEW OF DD O S ATTACK IN AMI N ETWORK
availability, and accountability [11]. The cyberthreats can be The DDoS attack is initiated by attack agents to exploit
divided into two categories: (1) connection-based and (2) system vulnerabilities that affects the availability of network
device-based vulnerabilities [3]. The connection-based attacks service/devices. A conceptual model of the direct DDoS attack
exploit the vulnerabilities existing in communication media is depicted in Fig.1. This model consists of attacker, victims,
SM
Access
Point
Data
Collector
SM Access IP Network
Point
…
Access
SM
Point
Attack Normal
Attacker Agents Attack Vector Victim
Information Flow Information Flow
and agents [17]. The main objective of attacker is to exhaust or software security weakness on the meter to implant mali-
the processing power and data bandwidth of the victims, cious program or adversely modify the firmware through the
jamming its communication channel [17], [18]. Generally, the communication module [20]. The attack must select a proper
DDoS attack can be divided into two stages: (1) recruitment propagation model to spread his malware. There exists 3
of attack agents and (2) attack phase. popular approaches, i.e. central repository, back-chaining and
autonomous, which are depicted in Fig. 2 [21]. When adopt-
A. Recruitment of Attack Agents ing the central repository approach, the attacker places the
malicious program in a file repository, and each agent copies
To be cost-effective in device design, the AMI metering the code from this repository. In the back-chaining model,
devices are generally built based on the off-the-shelf solutions the attacker can make the compromised agent download the
utilizing the commodity technologies. The key part of the malware from the attacking host. The autonomous approach
metering device is a system-on-chip (SoC) integrating re- is similar to the back-chaining one, but differs from the latter
duced instruction set computing (RISC)-based microprocessor, one in that the infection process is combined with the exploit
memory controller, SRAM, analog/digital converter (ADC), thus the agents do not have to download the malware from a
LCD display controller, USB controller, DSP, and commu- dedicated source.
nication modules. Some advanced digital meters may have
an embedded operating system running on the hardware, e.g. B. Mechanisms of DDoS Attacks
Linux [19]. The ADC converts the analog quantities from
voltage and current sensors to digital signals which can be There are many methods to initiate a DDoS attack [22]. We
processed by DSP and CPU. The communication modules are enumerate 3 categories of possible attack mechanisms in the
compatible with a variety of communication mechanisms to AMI network environment.
provide flexible data exchange configurations. 1) Attacks on protocol: The attacker can take advantage
To launch a DDoS in AMI network, an attacker first needs of the security risks lying in the protocol to deplete the
to identify the vulnerable digital meters as the agents. Since resources of the victim. For example, some IP-based
the AMI system features a network with large number of AMI networks may employ the transportation control
homogeneous device, it is very possible that a security flaw protocol (TCP) as the transportation layer protocol.
discovered in a single meter could exist in many other ones. The attacker can launch a TCP SYN flooding attack
Then the attacker requires to communicate with significant to disable the service on the AMI head-end or data
number of IP-based smart meters that have already been collecting unit [23].
infected with malicious code. It is impractical for an attacker to 2) Attacks on infrastructure: The AMI system built on
physically break into a large number of agents (compromised the IPS is a packet-exchange network where the routers
digital meters). Instead, the attacker can exploit the hardware play an important role. The attacker may intentionally
TABLE I
central repository PARAMETERS SETUP
Parameter Smart Meter DCU
Phy IEEE 802.11b DSSS11Mbps
Mac 802.11b 802.11s
Trans. layer TCP
download IP address range 10.0.{0˜8}.0/ 172.16.0.0/
malware 255.255.255.0 255.255.255.0
Service port no. 4059
Max. comm. hops 2
exploit repeat
attacker victim next victim as NAN communication mechanism. The network is a two-
level hierarchical wireless LAN communication structure. The
(a) first level consists of multiple smart meters and a single access
point (AP). These communication entities form a infrastructure
download malware basic service set (BSS) in wireless LAN. Within the same
infrastructure BSS, one station (smart meter) can communicate
with another one via the AP. There is no direct communication
between two stations belonging to two different BSSes even
though they are within the communication ranges of each
other’s. The APs are also equipped with the IEEE 802.11s
media access control (mac) protocols to provide mesh station
exploit repeat functionalities. In the second level communications, all APs
attacker victim next victim are organized in meshed topology to provide multi-hop packets
delivery paths to data collector. In 802.11s amendment, such
(b) network is referred as a mesh basic service set (MBSS) [27].
The smart meter application runs over the IPv4 protocol
stacks. Depending on the service type, e.g. metering data, man-
agement information, the application uses either TCP or UDP
protocol to send the packet. Then each packet is encapsulated
with IPv4 and IEEE 802.11 headers and transmitted to the
AP via the wireless medium. The AP serves as a wireless
exploit & copy repeat router and mesh gate. it translates between the MBSS and its
malware associated smart meters. The AP is equipped with dynamic
attacker victim next victim (olsr, aodv) or static routing protocols to backhaul the data to
data collector. If the AP is in the range of the data collector,
(c)
it will directly deliver the packet. Otherwise, it will send the
Fig. 2. Propagation methods: (a) central repository, (b) back-chaining, (c) packet to next AP. This process will repeat until the packet
autonomous [21] reaches the data collector. The example AMI NAN for case
study consists of 1 DCU gateway, 10 DCUs and 50 smart
meters. Each DCU is associated with 5 smart meters. The
disrupt the routing tables to deteriorate the performance parameters setup for the communication entities are shown
of packet delivery [24], [25]. in table I. The communication entities are distributed in a
3) Attacks on bandwidth: The attacker can manipulate a 150m×150m area.
large number of agents to send excessive communication The smart applications are modeled according to the Device
packets to the victim. The overwhelming traffic will Language Message Specification and Companion Specification
force the victim to drop an amount of the legitimate for Energy Metering (DLMS/COSEM) defined by IEC 62056
packets. A significant packets drop ratio may be ob- standards [7], [8]. The DLMS/COSEM can be configured
served [26]. with various communication profiles, e.g. HDLC protocol or
The attacker may use IP spoofing to hid his attack agents. This IPv4 stack [6]. When DLMS/COSEM works with the IPv4
strategy will increase the difficulty for the defender to trace protocol stacks, it can uses either TCP or UDP protocol for
back the source of the attack, especially when there are a huge communication. The port 4059 is specified for DLMS/COSEM
number smart meters in a network. applications.
Under normal conditions, the smart meters are scheduled
III. C ASE S TUDY OF DD O S IN AMI to report energy usage data every 2 minutes. We assume that
To illustrate the potential impact of the DDoS attack to the each compromised agent can generate 2Mbps UDP flooding
AMI communication, we simulate the bandwidth consumption attack flow to the DCU gateway. The simulation result is
attack using NS3. The case is depicted in Fig. 3. The exem- shown in Fig. 4. It can be observed that in a NAN the
plary IP-based AMI network employs IEEE 802.11 protocols network performance is seriously deteriorating with the grow-
10.0.0.x/ 10.0.1.x/
255.255.255.0 255.255.255.0
172.16.0.x/
255.255.255.0
ing number of attack agents. When 60% of the total meters IV. D EFENSE S TRATEGIES AGAINST DD O S ATTACK IN
are compromised and used as agents, near 50% packets are AMI
dropped, and the average and maximum end-to-end delays are
13.5 and 5.48 times higher than that when the system is in DDoS attacks over the Internet have been studied for
normal condition. As we discussed in previous sections, the long time. Similarly, the effects of DDoS on AMI network
bandwidth consumption attack can seriously affect the data are critical issues to utilities. It is important to detect and
availability of AMI system. prevent potentially malicious attempts. Multiple approaches
are developed for defending DDoS attack in Internet applica-
tions Depending on the point in time which defense takes
place, these methods can be divided into two categories:
1) attack prevention (before attacks are launched) and 2)
Avg. Delay Max. Delay Pkt. Drop Ratio attack detection (after attacks are launched). The prevention
25 60%
methods include improving system and protocol security level,
firewalls, resource allocation & accounting, etc. while the
20
50% detection approaches involves attack source identification and
End-to-end Delay (sec.)