David Formby

An Empirical Study of TCP Vulnerabilities in Critical Power System Devices

Implementations of the TCP/IP protocol suite have been patched for decades to reduce the threat of TCP sequence number prediction attacks. TCP, in particular, has been adopted to many devices in the power grid as a transport layer for their applications since it provides reliability. Even though this threat has been well-known for almost three decades, this does not hold true in power grid networks; weak TCP sequence number generation can still be found in many devices used throughout the power grid. Although our analysis only covers one substation, we believe that this is without loss of generality given: 1) the pervasiveness of the flaws throughout the substation devices; and 2) the prominence of the vendors. In this paper, we show how much TCP initial sequence numbers (ISNs) are still predictable and how time is strongly correlated with TCP ISN generation. We collected power grid network traffic from a live substation for six months, and we measured TCP ISN differences and their time differences between TCP connection establishments. In the live substation, we found three unique vendors (135 devices, 68%) from a total of eight vendors (196 devices) running TCP that show strongly predictable patterns of TCP ISN generation.

Towards Secure Metering Data Analysis via Distributed Differential Privacy

The future electrical grid, i.e., smart grid, will utilize appliance-level control to provide sustainable power usage and flexible energy utilization. However, load trace monitoring for appliance-level control poses privacy concerns with inferring private information. In this paper, we introduce a privacy-preserving and fine-grained power load data analysis mechanism for appliance-level peak-time load balance control in the smart grid. The proposed technique provides rigorous provable privacy and an accuracy guarantee based on distributed differential privacy. We simulate the scheme as privacy modules in the smart meter and the concentrator, and evaluate its performance under a real-world power usage dataset, which validates the efficiency and accuracy of the proposed scheme.

A first look at machine-to-machine power grid network traffic

The purpose of network traffic characterization is to explore unknown patterns in different types of network communications to help improve many aspects of the network. While many previous studies have explored the characterization of many different networks (e.g., university networks), the power grid network (and other SCADA networks) characterization has not yet been studied. In this paper, we provide a characterization of the power grid network to answer questions like the following: i) how stable is the communication based on configurations?; ii) are there different observable traffic patterns in different vendor equipment?; iii) are there trends in the network traffic?; iv) can information be gathered from the traffic characterization to help secure the power grid network? To address these questions, we have collected power grid network traffic in a live substation for two months and conducted an empirical study to identify network traffic behaviors in the live substation. Our empirical study shows different behaviors between the devices and vendors when they communicate with each other.

A physical overlay framework for insider threat mitigation of power system devices

Nearly every aspect of modern life today, from businesses, transportation, and healthcare, depends on the power grid operating safely and reliably. While the recent push for a “Smart Grid” has shown promise for increased efficiency, security has often been an after-thought, leaving this critical infrastructure vulnerable to a variety of cyber attacks. For instance, devices crucial to the safe operation of the power grid are left in remote substations with their configuration interfaces completely open, providing a vector for outsiders as well as insiders to launch an attack. This paper develops the framework for an overlay network of gateway devices that provide authenticated access control and security monitoring for these vulnerable interfaces. We develop a working prototype of such a device and simulate the performance of deployment throughout a substation. Our results suggest that such a system can be deployed with negligible impact on normal operations, while providing important security mechanisms. By doing so, we demonstrate that our proposal is a practical and efficient solution for retro-fitting security onto crucial power system devices.

A Case Study in Power Substation Network Dynamics

The modern world is becoming increasingly dependent on computing and communication technology to function, but unfortunately its application and impact on areas such as critical infrastructure and industrial control system (ICS) networks remains to be thoroughly studied. Significant research has been conducted to address the myriad security concerns in these areas, but they are virtually all based on artificial testbeds or simulations designed on assumptions about their behavior either from knowledge of traditional IT networking or from basic principles of ICS operation. In this work, we provide the most detailed characterization of an example ICS to date in order to determine if these common assumptions hold true. A live power distribution substation is observed over the course of two and a half years to measure its behavior and evolution over time. Then, a horizontal study is conducted that compared this behavior with three other substations from the same company. Although most predictions were found to be correct, some unexpected behavior was observed that highlights the fundamental differences between ICS and IT networks including round trip times dominated by processing speed as opposed to network delay, several well known TCP features being largely irrelevant, and surprisingly large jitter from devices running real-time operating systems. The impact of these observations is discussed in terms of generality to other embedded networks, network security applications, and the suitability of the TCP protocol for this environment.