A Smart Metering Scenario Jorge Cuellar, Jan Stijohann, Santiago Suppan Siemens AG

Agenda General Context: Smart Grid Security  Common Terminology Description of the Scenario Environment  Case Overview Tomorrow: Possible worst case scenarios  Threat and Attack Analysis 2

General Context: Smart Grid Security I Motivation  70% of urban population will live in cities by 2050  Current energy supply affected by: Blackouts Power overloads High costs  Upcoming challenges: Distributed power supply … Regenerative sources in many places Scarcity of resources … Intermittent power supply 3

Properties of the Smart Grid Self-monitoring Auto-balancing Self-Regulating Efficient Cost reducing 4 Those properties are necessary to cope with the requirements of future power supply  Energy is flowing in both directions  Amount of energy must be carefully controlled  Incentives must be provided to consume / store energy only when production is high in real-time

Entities (Roles) Energy Generators Energy Suppliers  Data Communication Network  Network Gateway  Energy Supply Server Prosumer & Home Domain  Smart Appliances  Smart Meter  (Wireless) Home Area Network  Home Gateway  Home Energy Management System Meter Point Operator 5

Data Flow 6 DCN Data Energy SA SA: Smart Appliances Energy Generation („SA“) HAN: Home Area Network EMS: Control & Usage Display SA: TV HG: Home Gateway Vehicle Charging („SA“) 20°C SA: Thermostat Solar SM: Smart Meter TN: Transmission Node NG: NW Gateway ABD BD S&C Raw BD Internet REMS: Remote device for Control & Usage Display ESS: Energy Supplier Server S&C ABD BDF Third Parties: Energy Generator etc S&C PDD

Raw BD (Raw Billing Data)  All data related to energy consumption, storage and production  Gathered by the SM BD (Billing Data)  Processed and stored by the SM and the (local) EMS. ABD (Aggregated Billing Data)  Sent to the NG over the public Data Communication Network and forwarded to the Energy Supplier 7 Data Flow PDD (data for power generation and distribution purposes)  Aggregated by ES from ABD of several households  Purpose: usage forecasts for certain sectors

BDF (Billing Data Feedback Information)  Every ± 5 minutes  Users are informed  Energy usage, generation volume, costs, revenues, and current rates S&C (Status and Control)  Local logon to the EMS  View the smart appliances’ status  Control of the Smart Appliances or modification of the energy management policies 8 Data Flow RS&C (Remote S&C)  Remotely logon to the EMS  Using e.g., a cellular phone or a remote PC  From external hot spots (e.g., internet café)

Suggestions for Worst Cases Threat and Attack Analysis Jorge Cuellar, Jan Stijohann, Santiago Suppan Siemens AG

Questions / Tasks Assume a variety of home environments  Some clever, some less clever devices  Legacy and not legacy systems  From a variety of vendors Describe attackers & attacks in some detail:  External attackers  Insiders which are either malicious or careless Employees, family members, neighbours, installers, manufacturers Identify security requirements Identify security controls and measures to provide  First line of defence  Defence in depth or redundancies 10

1: Family with children  Which information could the attacker obtain? What can he deduce? … How many persons live?  Possible tracing? Combination of information useful for burglary or … ? 11 Possible weak point Attacker: insider / outsider

2: Smart Appliances Which appliances are “smart”? What kind of information (R/S&C) do they process? What are the appliances’ functionalities? Can a successful attack to an appliance lead to a compromise of the AMI? 12 Attacker: insider / outsider

3: Privacy Initial assumption: all communication is encrypted  Possible to read / disclose / etc. information regardless of encryption?  Time / Communication Parties / Message length etc., help disclose the payload data?  Possible to misuse insider status (Prosumer / Energy Supplier)? 13 Attacker: insider / outsider

4: Impersonation  How to impersonate another customer for accounting fraud?  Possible to impersonate a server?  With which results? 14 X Possible impersonation or interference Attacker: insider / outsider

5: Encryption & Key mgmt Assume: Communication is encrypted  Possible to bypass the communication encryption?  Possible to extract keys or to intercept key exchanges or key updates?  Possible to exploit implementation weaknesses at the network / transport / application layer?  Possible to exploit insider status? 15 Possible weak point Attacker: insider / outsider

6: Electric Mobility Assumption: Electric vehicles share an unique vehicle ID  Possible impersonation?  Possible fraud?  Possible tracing?  Possible theft?  … 16 uvID Attacker: insider / outsider

Thank You! Any questions? eRise Challenge 2013

18