Robin Berthier

Intrusion Detection for Advanced Metering Infrastructures: Requirements and Architectural Directions

The security of Advanced Metering Infrastructures (AMIs) is of critical importance. The use of secure protocols and the enforcement of strong security properties have the potential to prevent vulnerabilities from being exploited and from having costly consequences. However, as learned from experiences in IT security, prevention is one aspect of a comprehensive approach that must also include the development of a complete monitoring solution. In this paper, we explore the practical needs for monitoring and intrusion detection through a thorough analysis of the different threats targeting an AMI.

Specification-Based Intrusion Detection for Advanced Metering Infrastructures

It is critical to develop an effective way to monitor advanced metering infrastructures (AMI). To ensure the security and reliability of a modernized power grid, the current deployment of millions of smart meters requires the development of innovative situational awareness solutions to prevent compromised devices from impacting the stability of the grid and the reliability of the energy distribution infrastructure. To address this issue, we introduce a specification-based intrusion detection sensor that can be deployed in the field to identify security threats in real time. This sensor monitors the traffic among meters and access points at the network, transport, and application layers to ensure that devices are running in a secure state and their operations respect a specified security policy. It does this by implementing a set of constraints on transmissions made using the C12.22 standard protocol that ensure that all violations of the specified security policy will be detected. The soundness of these constraints was verified using a formal framework, and a prototype implementation of the sensor was evaluated with realistic AMI network traffic.

SCPSE: Security-Oriented Cyber-Physical State Estimation for Power Grid Critical Infrastructures

Preserving the availability and integrity of the power grid critical infrastructures in the face of fast-spreading intrusions requires advances in detection techniques specialized for such large-scale cyber-physical systems. In this paper, we present a security-oriented cyber-physical state estimation (SCPSE) system, which, at each time instant, identifies the compromised set of hosts in the cyber network and the maliciously modified set of measurements obtained from power system sensors. SCPSE fuses uncertain information from different types of distributed sensors, such as power system meters and cyber-side intrusion detectors, to detect the malicious activities within the cyber-physical system. We implemented a working prototype of SCPSE and evaluated it using the IEEE 24-bus benchmark system. The experimental results show that SCPSE significantly improves on the scalability of traditional intrusion detection techniques by using information from both cyber and power sensors. Furthermore, SCPSE was able to detect all the attacks against the control network in our experiments.

A cloud-based intrusion detection and response system for mobile phones

As smart mobile phones, so called smartphones, are getting more complex and more powerful to efficiently provide more functionalities, concerns are increasing regarding security threats against the smartphone users. Since smart-phones use the same software architecture as in PCs, they are vulnerable to similar classes of security risks such as viruses, trojans, and worms [6]. In this paper, we propose a cloud-based smartphone-specific intrusion detection and response engine, which continuously performs an in-depth forensics analysis on the smartphone to detect any misbehavior. In case a misbehavior is detected, the proposed engine decides upon and takes optimal response actions to thwart the ongoing attacks. Despite the computational and storage resource limitations in smartphone devices, The engine can perform a complete and in-depth analysis on the smartphone, since all the investigations are carried out on an emulated device in a cloud environment.

Secloud: A cloud-based comprehensive and lightweight security solution for smartphones

As smartphones are becoming more complex and powerful to provide better functionalities, concerns are increasing regarding security threats against their users. Since smartphones use a software architecture similar to PCs, they are vulnerable to the same classes of security risks. Unfortunately, smartphones are constrained by their limited resources that prevent the integration of advanced security monitoring solutions that work with traditional PCs. We propose Secloud, a cloud-based security solution for smartphone devices. Secloud emulates a registered smartphone device inside a designated cloud and keeps it synchronized by continuously passing the device inputs and network connections to the cloud. This allows Secloud to perform a resource-intensive security analysis on the emulated replica that would otherwise be infeasible to run on the device itself. We demonstrate the practical feasibility of Secloud through a prototype for Android devices and illustrate its resource effectiveness by comparing it with on-device solutions.

A Multi-Sensor Energy Theft Detection Framework for Advanced Metering Infrastructures

The advanced metering infrastructure (AMI) is a crucial component of the smart grid, replacing traditional analog devices with computerized smart meters. Smart meters have not only allowed for efficient management of many end-users, but also have made AMI an attractive target for remote exploits and local physical tampering with the end goal of stealing energy. While smart meters posses multiple sensors and data sources that can indicate energy theft, in practice, the individual methods exhibit many false positives. In this paper, we present AMIDS, an AMI intrusion detection system that uses information fusion to combine the sensors and consumption data from a smart meter to more accurately detect energy theft. AMIDS combines meter audit logs of physical and cyber events with consumption data to more accurately model and detect theft-related behavior. Our experimental results on normal and anomalous load profiles show that AMIDS can identify energy theft efforts with high accuracy. Furthermore, AMIDS correctly identified legitimate load profile changes that more elementary analyses classified as malicious.

SOCCA: A Security-Oriented Cyber-Physical Contingency Analysis in Power Infrastructures

Contingency analysis is a critical activity in the context of the power infrastructure because it provides a guide for resiliency and enables the grid to continue operating even in the case of failure. In this paper, we augment this concept by introducing SOCCA, a cyber-physical security evaluation technique to plan not only for accidental contingencies but also for malicious compromises. SOCCA presents a new unified formalism to model the cyber-physical system including interconnections among cyber and physical components. The cyber-physical contingency ranking technique employed by SOCCA assesses the potential impacts of events. Contingencies are ranked according to their impact as well as attack complexity. The results are valuable in both cyber and physical domains. From a physical perspective, SOCCA scores power system contingencies based on cyber network configuration, whereas from a cyber perspective, control network vulnerabilities are ranked according to the underlying power system topology.

CPIndex: Cyber-Physical Vulnerability Assessment for Power-Grid Infrastructures

To protect complex power-grid control networks, power operators need efficient security assessment techniques that take into account both cyber side and the power side of the cyber-physical critical infrastructures. In this paper, we present CPINDEX, a security-oriented stochastic risk management technique that calculates cyber-physical security indices to measure the security level of the underlying cyber-physical setting. CPINDEX installs appropriate cyber-side instrumentation probes on individual host systems to dynamically capture and profile low-level system activities such as interprocess communications among operating system assets. CPINDEX uses the generated logs along with the topological information about the power network configuration to build stochastic Bayesian network models of the whole cyber-physical infrastructure and update them dynamically based on the current state of the underlying power system. Finally, CPINDEX implements belief propagation algorithms on the created stochastic models combined with a novel graph-theoretic power system indexing algorithm to calculate the cyber-physical index, i.e., to measure the security-level of the systems current cyber-physical state. The results of our experiments with actual attacks against a real-world power control network shows that CPINDEX, within few seconds, can efficiently compute the numerical indices during the attack that indicate the progressing malicious attack correctly.

A Framework for Evaluating Intrusion Detection Architectures in Advanced Metering Infrastructures

The scale and complexity of Advanced Metering Infrastructure (AMI) networks requires careful planning for the deployment of security solutions. In particular, the large number of AMI devices and the volume and diversity of communication expected to take place on the various AMI networks make the role of intrusion detection systems (IDSes) critical. Understanding the trade-offs for a scalable and comprehensive IDS is key to investing in the right technology and deploying sensors at optimal locations. This paper reviews the benefits and costs associated with different IDS deployment options, including either centralized or distributed solution. A general cost-model framework is proposed to help utilities (AMI asset owners) make more informed decisions when selecting IDS deployment architectures and managing their security investments. We illustrate how the framework can be applied through case studies, and highlight the interesting cost/benefit trade-offs that emerge.

AMIDS: A multi-sensor energy theft detection framework for advanced metering infrastructures

The advanced metering infrastructure (AMI) is a crucial component of the smart grid, replacing traditional analog devices with computerized smart meters. Smart meters have not only allowed for efficient management of many end-users, but also have made AMI an attractive target for remote exploits and local physical tampering with the end goal of stealing energy. While smart meters posses multiple sensors and data sources that can indicate energy theft, in practice, the individual methods exhibit many false positives. In this paper, we present AMIDS, an AMI intrusion detection system that uses information fusion to combine the sensors and consumption data from a smart meter to more accurately detect energy theft. AMIDS combines meter audit logs of physical and cyber events with consumption data to more accurately model and detect theft-related behavior. Our experimental results on normal and anomalous load profiles show that AMIDS can identify energy theft efforts with high accuracy. Furthermore, AMIDS correctly identified legitimate load profile changes that more elementary analyses classified as malicious.