AMI Security

net-layout-hub.450An “advanced meter” (a collection of which is known as an Advanced Meter Infrastructure, or AMI) is an electronic meter that can be read and controlled remotely. In the figure on the right, we show how an AMI network could be organized. The network is divided into three main domains that are connected via Field-Area-Network (FAN) and potentially Wide-Area-Network (WAN) links. The first domain houses the Meter Data Management Service (MDMS) and its associated applications, such as those for analyzing metering data. The second domain comprises the metered premises, which may have mesh network connections between themselves to extend the overall reach of the metering network. Each of these premises may also be equipped with a Home-Area Network (HAN) containing consumer devices that utilize meter data or services.  For example, Programmable Communicating Thermostats (PCTs) or Building Automation Systems (BASs) are commonly envisioned as being connected to the HAN and are labeled with the generic term “unified hub” in the figure.

Meters provide many potential advantages to ESPs, their customers, and many other entities: 1) Customer control: Customers gain access to information on their current energy usage and real-time electricity prices. 2) Demand response: Power utilities can more effectively send control signals to advanced metering systems to curtail customer loads, either directly or in cooperation with the customer’s building automation system. Current demand response schemes are typically very coarse-grained and provide marginal power savings. 3) Improved reliability: More agile demand response and Distributed Energy Resource (DER) management can improve the reliability of the distribution grid by preventing line congestion and generation overloads. These improvements will also reduce the strain on the transmission grid. 4) Simplified sub-metering: Multiple customers can be monitored by a single meter, reducing equipment costs and maintenance burdens. In some settings, it may even be possible for an MDMS to collect readings from multiple meters in a hierarchical fashion. There are several distinct categories of advanced metering systems that support the functionality discussed above with varying degrees of success. The least capable systems use low-bandwidth, time-multiplexed radio networks, which precludes any advanced functionality beyond simply reading the meters due to bandwidth limitations. More capable systems use mesh networks to provide more consistent and perhaps higher-bandwidth connectivity, and the most capable systems have full broadband network connections.  The less capable systems are typically less expensive to deploy initially, but  high-bandwidth systems support more advanced services, possibly roviding more economic benefits in the long run.

Meter reading systems with fixed networks usually allow service providers to distribute real-time pricing schedules to meters, which can influence customer behavior and induce manual or automatic demand response actions. Some systems also support direct control signals. These may be desirable for managing a distributed energy resource, or for controlling a primary breaker on a premise without dispatching a maintenance worker.

Unique Characteristics

Just as cellphones have become ubiquitous, mobile computing platforms, advanced meters may become the first ubiquitous, fixed (non-mobile) computing platforms. This could have a number of positive outcomes, such as the expansion of network access into currently unreachable areas. However, it also raises serious privacy concerns. The introduction of cellphones compromised the location privacy of customers, since the radio signals of cellphones can be tracked to determine the approximate locations of cellphone users. Similarly, advanced meters can potentially be used to determine not only whether a metered premise is occupied, but also how the occupants of the premise are currently behaving. This information could be correlated with location information to develop detailed profiles of those individuals, unless we control the dissemination of such information. Another significant characteristic of advanced meters follows directly from the previous one. Massive meter deployments may lead to significant availability issues. If many meters attempt to transmit large quantities of data simultaneously, they may overload their communications infrastructure.  This could interrupt service providers’ income, if they are unable to collect billing data for significant periods of time. It could also lead to blackouts if load reduction signals are blocked or delayed.

Attacker Profiles

Curious Eavesdroppers

Possibly the least dangerous type of attacker is the curious eavesdropper. In a residential setting, neighbors are often interested in the behavior of occupants in surrounding homes. Currently, they satisfy their curiosity by observing the lights and sounds of a household, which serve as coarse indicators of occupant activity. When advanced metering systems are deployed, these curious individuals may attempt to determine more detailed information about their neighbors by eavesdropping on the communications of advanced meters. It seems unlikely that an ordinary individual will be sufficiently motivated to spend more than a few hours acquiring such information. However, if meter communications are not properly secured, it may be possible for skilled developers to distribute scripted utilities for capturing and analyzing those communications. This could lead to something like the “script kiddy” phenomenon that has occurred in the realm of computer cracking. This sort of scenario would be particularly feasible if meters communicate to form mesh networks, in which the communications from each meter may flow through several others on the route to the MDMS.

Motivated Eavesdroppers

Thieves and other criminals are likely to have capabilities only marginally superior to those of curious eavesdroppers, but may be much more motivated. They could benefit greatly from having enhanced information about the behavior of building occupants, to help them plan crimes. As we mentioned above, one of the primary sources of information about building occupants comes from their lighting. This is why vacationers often put their lights on timers, to obscure their true occupancy status.  If thieves were able to access detailed power measurements from homes, their intelligence capabilities would be greatly improved, increasing their probability of performing robberies without being captured. If they were able to remotely compromise meters and perform surveillance over the network, their productivity and elusiveness would be enhanced even further. Given the enormous potential rewards for their labor, this class of attacker may be willing to perform physical modifications to meters or other infrastructure elements, to enhance their capabilities.

Unethical Customers

Unethical customers may attempt to steal electricity by tampering with metering hardware or software, or its communications. These insiders may have capabilities and motivation levels similar to external thieves, but they will have more opportunities to physically tamper with their metering equipment, since they are the legitimate occupants of the metered premises. The objectives of internal thieves are quite different from those of external thieves. External adversaries are primarily concerned with compromising the confidentiality of meter data, whereas dishonest customers wish to compromise the integrity of meter data, to reduce their bills. To accomplish this, they may either reduce the usage reported by the meter, or they may shift usage indications from higher-priced time intervals to lower-priced intervals. It is generally impossible to entirely prevent the hardware or software tampering that could be used to carry out these attacks, since the customer has physical control over both the meter and the wiring in the house, but it is important to make it at least as difficult to tamper with advanced meters as it currently is to tamper with mechanical meters.

Overly Intrusive Meter Data Management Agency

Although not a traditional adversary, an overly-intrusive MDMS can significantly damage customer privacy. The MDMS is an external entity that is responsible for interacting directly with the meter to gather billing data and other statistics. The MDMS processes the data that it collects, and then transfers it to other clients that require the data, such as the ESP’s billing department. Thus, by protecting against an overly intrusive MDMS, we also protect meter users from all of the MDMS’s clients. If MDMSs were granted access to high-resolution data collected on customers’ meters, they would be able to construct detailed profiles of the behavior of those customers. It has been demonstrated in the past that electrical appliances can be distinguished by how much active and reactive power they require, using a technique called non-intrusive load monitoring. Given a set of appliance power signatures, it is actually possible to take a series of active and reactive power measurements and determine which appliances were running at each point in time by studying the transitions in those measurements. In fact, measurements from a single point on the main line feeding a residence often provide sufficient information to distinguish between loads within the residence that are as similar as the small and large burners on electric stoves.

Active Attackers

It has been noted in the past that Al Qaeda has a high level of interest in Supervisory Control And Data Acquisition (SCADA) systems. If metering systems with control capabilities are deployed, it is likely that terrorists will also attempt to exploit those systems. Thus, the introduction of advanced metering systems could actually serve to broaden the power grid’s attack surface. Active attackers that wish to disrupt the powergrid using the metering infrastructure could adopt a number of tactics. The most obvious tactic would be to access the meters themselves and instruct them to cut off power to the metered premises, using the hard disconnect function included on some meters. To prevent these attacks, meter operators must ensure that remote entities authorized to perform control functions are properly authenticated. It is also necessary to ensure that meters are constructed using appropriate security engineering techniques to prevent software exploits from granting unauthorized access to control functions. In recent times, attacks against the network infrastructure supporting various applications have become more common. Typically, these take the form of Denial of Service (DoS) attacks. Grid instability or even a blackout may occur if such an attack against a metering network could be sustained for a sufficient length of time, since load reduction signals could be blocked. DoS attacks can be carried out at a variety of logical and physical layers of the network, and are difficult to eliminate entirely. However, certain network technologies are more vulnerable to DoS attacks than others, and must be carefully configured to minimize these risks.

Publicity Seekers

A significant portion of the cracker community is fueled by a desire for notoriety. Currently, crackers release worms and viruses that attack large numbers of computers connected to the Internet, and they also perform targeted attacks against smaller numbers of computers. These attacks often generate significant publicity, from which the cracker derives some degree of satisfaction. However, much more publicity could be generated by an attack against a metering network that causes blackouts or other physical effects. Future advanced meters may share many architectural features with smartphones, since both are embedded architectures with communications capabilities. Crackers have already developed viruses to attack smartphones, which raises concerns about viruses attacking metering networks. In fact, meters may be intrinsically more vulnerable than phones, since most will have constant network connectivity and will most likely run network servers that could potentially be exploited without requiring the meter owner to perform any operation to infect the meter.

Countermeasures

To explore a set of solutions to many of the vulnerabilities highlighted above, and to gain more detailed information on these AMI security, please visit the Attested Metering webpage.

 

External Resources

Last updated on Thursday, June 26, 2014, 12:41 pm