Industrial Control Systems Security

Increases in connectivity and standardization have opened industrial control systems to malicious code execution. These attacks, such as the Stuxnet attack, use malicious code to manipulate Programmable Logic Controllers (PLCs). Despite the large number of control system and PLC vulnerabilities released in the last few years, attackers leveraging these vulnerabilities to execute code on PLCs face a fundamental limitation. The semantics of PLC variables are unknown. This is due to the nature of PLC programming, in which even source code often contains semantically meaningless variables, e.g., I 0.0 and Q 1.2. Thus, the adversary cannot determine how to write malicious code to manipulate the control system as desired. This has led to criticism that PLC code execution attacks are not practical enough to warrant significant effort for defenses, except in the most critical infrastructure.

Framework for automated attacks on industrial control systems

We show that this is not the case, and that in fact, PLC-based attacks are far more practical than previously thought. We develop a tool called SABOT to demonstrate that an adversary armed only with a model of a target control system can automatically generate attack code for a PLC to achieve a desired effect. This is because SABOT does the work of fitting the adversary's model onto the actual system implementation found in the victim PLC. Even with our initial implementations based solely on model checking, adversarial models that missed entire pieces of plant functionality could still be matched to the victim controller code. This reduction in the sophistication needed for PLC code execution attacks suggests that a second look at PLC-specific defenses is in order.

Related Publications

Stephen McLaughlin and Patrick McDaniel. SABOT: Specification-based Payload Generation for Programmable Logic Controllers. 19th ACM Conference on Computer and Communications Security (CCS). Raleigh, NC, USA. October 2012.

Stephen McLaughlin. On Dynamic Malware Payloads Aimed at Programmable Logic Controllers. 6th USENIX Workshop on Hot Topics in Security, San Francisco, CA. August, 2011.

Load Monitoring Privacy

One benefit of smart metering is increased time-resolution of power measurements. Utilities no longer view monthly records of power consumption, but 15-minute or smaller intervals to administer time of day pricing, and monitor power quality. Less attractive to utility customers, this high-resolution data can also be analyzed to determine homeowner behavior. Algorithms known as Non-Intrusive Load Monitors (NILMs) can reconstruct individual device behavior from observations of power consumption over time. While it is possible to modify smart meters to protect a user's privacy against NILMs (several such schemes already exist), there is no guarantee that a power utility will want to engage in such a scheme.

Non-Intrusive Load Levelling

As an alternative to requiring utility cooperation for power data privacy, we design a scheme based on using in-home energy storage (a battery) to offset electric loads themselves, thus masking occupant and device behaviors. Our approach, called Non-Intrusive Load Levelling (NILL) effectively reduces the electricity usage features in a resident's meter data by 95-99%. Several additional algorithms based on a stepping framework further compensate for deficiencies in NILL when handling electric loads that cause the battery to drain frequently while offsetting electric loads.

Related Publications

Weining Yang, Ninghui Li, Yuan Qi, Wahbeh Qardaji, Stephen McLaughlin and Patrick McDaniel. Minimizing Private Data Disclosures in the Smart Grid. 18th ACM Conference on Computer and Communications Security (CCS). Raleigh, NC, USA. October 2012.

Stephen McLaughlin, Patrick McDaniel, and William Aiello. Protecting Consumer Privacy from Electric Load Monitoring. 18th ACM Conference on Computer and Communications Security (CCS 2011), Chicago, IL, USA. October, 2011.

Advanced Metering Infrastructure Security

AMI meter LANs and backhaul networks

The Advanced Metering Infrastructure (AMI) is the next generation electric metering platform for smart grids. AMI links digital smart meters with electric utilities to provide advanced pricing schemes, remote meter reading, outage management, and a host of other automated services. With smart meters currently replacing the analog meters in millions of homes in the US and abroad, we wish to understand efficacy of the security mechanisms present in meters, networks, and utilities. To do so, we are performing a hands on security analysis of several commercially available smart metering products.

This project aims not only to identify security vulnerabilities in commercial smart meters, but to develop a methodology for the systematic security evaluation of current and future smart metering systems. This methodology uses attack trees to enumerate the types of attacks that can be used to achieve a particular adversarial goal against AMI. The example attack tree below shows some of the ways in which an adversary might attempt to fraudulently reduce an electric bill by forging the demand data reported to the utility. One of our first results was to successfully construct and execute the network based attack in subtree (c) with one of the commercial metering systems in our study.

An attack tree targeted at energy fraud

Along with security analysis, we are also investigating practical methods for hardening smart meters against the discovered attacks. One such method that we have considered is the use of artificial firmware diversity to prevent large-scale compromises in smart meter monocultures. This vein of research has lead to a redundant address encryption scheme which improves the known technique of return address encryption for preventing control flow based exploits. In general purpose computers, address encryption will result in an invalid memory access in the event of a failed exploit. This is not true in an embedded system such as a smart meter, which only has single small address space. A failed exploit attempt in such an environment would cause potentially damaging random errors. Redundant address encryption gives a lightweight mechanism for providing arbitrarily strong guarantees against random control flow errors.

Related Publications

Stephen McLaughlin, Dmitry Podkuiko, Adam Delozier, Sergei Miadzvezhanka, and Patrick McDaniel. Multi-vendor Penetration Testing in the Advanced Metering Infrastructure. 26th Annual Computer Security Applications Conference (ACSAC 2010), Austin, TX, USA. December, 2010.

Stephen McLaughlin, Dmitry Podkuiko, Adam Delozier, Sergei Miadzvezhanka, and Patrick McDaniel. Embedded Firmware Diversity for Smart Electric Meters. 5th USENIX Workshop on Hot Topics in Security (HotSec 2010), Washington, DC. August, 2010.

Stephen McLaughlin, Dmitry Podkuiko, and Patrick McDaniel. Energy Theft in the Advanced Metering Infrastructure. 4th International Workshop on Critical Information Infrastructure Security (CRITIS 2009), Bonn, Germany. September, 2009.

Patrick McDaniel and Stephen McLaughlin. Security and Privacy Challenges in the Smart Grid. IEEE Security & Privacy Magazine, 7(3):75--77, May/June, 2009.