A framework for intrusion detection system in ... - Wiley Online Library

SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 2014; 7:195–205 Published online 28 November 2012 in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.690

SPECIAL ISSUE PAPER

A framework for intrusion detection system in advanced metering infrastructure Nasim Beigi Mohammadi1*, Jelena Misić1, Vojislav B. Misić1 and Hamzeh Khazaei2 1 2

Department of Computer Science, Ryerson University, Toronto, ON, M5B 2K3, Canada Department of Computer Science, University of Manitoba, Winnipeg, MB, R3T 2N2, Canada

ABSTRACT Advanced metering infrastructure (AMI) is one of the key elements in smart grid, which facilitates the communication of metering data to a substation in one direction and control messages in the reverse direction. Using wireless technologies and communication devices (e.g., smart meters), which are located in the physically insecure places, makes the AMI vulnerable to cyber attacks. In order to ensure the reliability and security of AMI, attack prevention techniques and intrusion detection systems (IDSs) should be in place to protect the AMI communications from malicious attacks and security breaches, respectively. In this paper, we discuss the security requirements and vulnerabilities of AMI and review the existing threat prevention and detection solutions. We propose an IDS for neighborhood area network (NAN) in AMI, taking into account the NAN-specific requirements. Copyright © 2012 John Wiley & Sons, Ltd. KEYWORDS smart grid; AMI; neighborhood area network; security; intrusion detection system *Correspondence Nasim Beigi Mohammadi, Department of Computer Science, Ryerson University, Toronto, ON, M5B 2 K3, Canada. E-mail: [email protected]

1. INTRODUCTION Advanced metering infrastructure (AMI) enhances the link between the grid, consumers, and utility providers through the integration of multiple technologies such as automatic metering, communication networks, and data management systems with current power utility operations and asset management processes. AMI provides a two-way communication capability between smart meters and utilities to exchange information such as power consumption, pricing information, firmware updates, remote disconnects, fault or outage detection, and exception messages [1]. Advanced Meter Reading (AMR) is a metering system that records customer consumption (and possibly other parameters) hourly or more frequently and transmits the measurements over a communication network to a central collection point per daily basis or at a faster pace. Utilities have been using demand-side management (DM) to supervise peak loads of customers aimed in reducing the total power usage as well as decreasing the required infrastructure capacity. AMI is the logical conjunction of AMR and DM. DM provides the forward path from the utility center to the customer’s endpoint, whereas AMR provides the reverse path from the customer’s endpoint to the utility center. With the addition of a connection to the source of electricity costs, AMI Copyright © 2012 John Wiley & Sons, Ltd.

can provide the customer with near real-time information based on which to decide about electricity usage [2]. Advanced metering infrastructure mainly consists of four components including the following: smart meters, home area network (HAN) gateways, communication network, and AMI head-end [3]. Smart meters are the source of metering data and other energy-related information that are sent to utility providers. HAN gateways act as a bridge between home appliances and smart meters although smart appliances can directly communicate with smart meters. AMI communication network provides a path from the smart meters all the way to utility providers. Located in a utility site, AMI head-end manages the communication between meter data management systems and AMI communication network. Advanced metering infrastructure security is considered to be one of the biggest challenges toward being accepted worldwide. Because of critical information exchanged in the AMI communications (e.g., financial information of customers, vital control and safety commands, and utility providers’ private information), AMI requires a solid protection against unauthorized accesses and malicious attacks. Hence, security mechanisms and intrusion detection techniques should be in place when migrating to the automatic metering infrastructure. 195

N. Beigi Mohammadi et al.

A framework for IDS in AMI

In this work, AMI communication architecture as well as security threats and requirements for intrusion detection systems (IDSs) are discussed. Studying the state of the art in security measures and IDSs, we propose an IDS solution that considers the main constraints and necessities of AMI. The rest of this paper is organized as follows: In section 2, we explain the smart grid components and its communication requirements. The architecture and security concerns of AMI are discussed in Section 3. Section 4 surveys related work that has been made in AMI security. We study IDS solutions that have been proposed so far in the area of AMI. In Section 8 an IDS solution is proposed for neighborhood area network (NAN) in AMI. And finally, Section 9 concludes the paper and states the future work.

2. SMART GRID AND COMMUNICATION REQUIREMENTS Smart grid is expected to improve the efficiency, reliability, and economics of current energy systems. Using twoway flow of electricity and information, smart grid builds an automated, highly distributed energy delivery network. It incorporates real-time information exchange with the intention to balance supply and demand [4,5]. Smart grid consists of seven major blocks, namely bulk generation, transmission, distribution, operation, market, customer, and service provider [6]. The emergence of machine-tomachine communication has also begun in developing a smart power grid. This type of communication occurs among different components of smart grid such as sensors, smart meters, gateways, and other equipment [7]. A highlevel smart grid framework is shown in Figure 1. In smart grid, communication network plays a significant role and is required to be highly reliable in which nodes should be available under all circumstances and

the network must be robust. The communication network should have a high coverage to connect the highly distributed nodes in the smart grid realm. Communication overhead is another issue in the smart grid; even though the commands and data packets are usually short, the total volume to be transferred is overwhelming. Different smart grid applications have different qualityof-service (QoS) requirements. Some of these applications (e.g., control and alarming data) are delay sensitive, have some QoS requirements [8], and are loss-intolerant. Applications, such as substation and feeder Supervisory Control and Data Acquisition data, meter reading, longer term market pricing information, and collecting long-term data such as power quality information, have time latency of seconds, hours, days, weeks, and months, respectively [9]. Easy deployment and maintenance are essential for any distributed network, and smart grid is no exception. As National Institute of Standards and Technology indicates, the use of current technology and adaptation is one of the acceptable strategies that can be employed in smart grid communications [9]. According to the Electric Power Research Institute, security is one of the biggest challenges for widespread deployment of smart grid [10]. The two-way communication path that monitors and controls the smart grid infrastructure is a potential opportunity for a knowledgeable attacker. Physically unprotected entry points, as well as wireless networks that can be easily monitored and possibly interfered, pave the path for attackers. Hence, there should be security mechanisms in place intended to prevent unauthorized use of these communication paths. On the basis of the history of security in other types of networks, many risks exist and are yet to be discovered. Many of the technologies being deployed into smart grid projects, such as smart meters, sensors, and advanced communications networks, can increase the vulnerability of the grid to cyber attacks,

Information Flow Power Flow

Operations

Wide Area Network Utility center Markets

Customers

Bulk Generation

Transmission

Distribution

Figure 1. A high-level framework of smart grid.

196

Security Comm. Networks 2014; 7:195–205 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

N. Beigi Mohammadi et al.

A framework for IDS in AMI

and the risk grows as the deployment becomes more widespread. Communication security is an absolute requirement in the smart grid; smart grid deployments will fail without proper cyber security mechanisms built in. Communication security must address not only deliberate attacks but also inadvertent ones due to user errors, equipment failures, and natural disasters.

3. AMI: ARCHITECTURE AND SECURITY CONCERNS 3.1. AMI architecture Advanced metering infrastructure includes several communication networks that can be generally classified into: HAN, NAN, and wide area network (WAN) [11]. Home area network is the network of sensors that are attached to electronic appliances at customer premises and communicate with customers’ gateways or directly with smart meters in residential and industrial areas. The communication technologies usually used for this network includes 802.15.4 (possibly with Zigbee protocol stack) and 802.11 (WiFi). Neighborhood area network is a network of neighboring smart meters that communicate with collector nodes. NAN comprises many different media depending on the network layout. Wireless mesh network (WMN) has attracted more attention among other architectures for NAN in which smart meters are connected in a form of mesh topology [12]. Other technologies such as 3G/4G cellular and WiMAX can also be used for NAN communication [13]. A detailed description of NAN architecture that has been used to propose an IDS solution is discussed in Section 6. Wide area network is a multipurpose network that provides connectivity from data collectors to control units in the utility center. It connects multiple substations and local control points back to the main utility center. It forms a communication backbone to connect the utility centers to the highly distributed substations or customers’ endpoints. This network requires high bandwidth, very high reliability, and is usually made up of technologies such optic fiber, WiMax, cellular, satellite, Metro Ethernet, and power line communication. In cases where NAN is in the vicinity of the utility center, power line communication and optic fiber connect the collectors to the utility center. The WAN accommodates both field and enterprise data flows [6]. An overview of the AMI communication scheme is shown in Figure 2. 3.2. AMI security concerns Advanced metering infrastructure brings on new security challenges because it is composed of the devices that are placed in physically insecure locations and it makes use of wireless communication that can be possibly corrupted. These resources can be accessed by careless or malicious users [15,16]. Cleveland in [3] discusses the security Security Comm. Networks 2014; 7:195–205 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

Figure 2. Overview of advanced metering infrastructure (AMI) networks [14]. WAN, wide area network; NAN, neighborhood area network; HAN, home area network; LAN, local area network; PLC, power line communication; DLS, digital subscriber line; MDMA, meter data management agent.

requirements and related threats of the main components of an AMI. Security concerns for AMI can be classified into the following: • Confidentiality and in particular, privacy, which can strongly affect the customers’ view of deploying smart grid. Customers do not like unauthorized people and companies to know about their usage patterns. Usage patterns can reveal life habits and even the presence/absence of residents that could be used by thieves. If people’s concerns are not satisfied, they may refuse to cooperate in deploying smart grid; that is, they may refuse to let the utility providers install smart meters at their places. • Integrity in AMI systems means preventing any changes in the metering data received from meters and control commands sent to the meters. One of the scenarios that may happen is when a hacker sends a disconnect command by breaching into a meter management system and then disconnecting millions of smart meters. • Availability is considered the most crucial requirement in AMI because some systems or applications are real time and they are directly at their end deal with the availability of power, which is the most essential factor in smart grid. • Non-repudiation is also needed because different entities are involved in financial transactions, owning data, and even generating control commands. Audit logs of interactions are mainly used for non-repudiation, although these logs can be affected by integrity and availability attacks. In AMI, availability and integrity of data take precedence over confidentiality [15,17]. Attacks targeting AMI can be classified into three categories: network compromise, system compromise, and denial of service (DoS) [14]. Traffic modification, false data injection, replay, and traffic analysis attacks try to compromise the network [18], whereas compromised node and spoofing of metering devices, authentication violation, 197

A framework for IDS in AMI

and access to encryption keys are examples of attacks that target the systems [19]. Flaws or misuses of routing, configuration, name resolution and signal jamming are considered as DoS attacks.

4. STATE OF THE ART IN SECURITY MEASURES FOR AMI In [18], authors have evaluated the security threats on the communication network in the smart gird. They compare the smart grid with Internet and highlight the critical differences such as performance metric and traffic model. Because TCP/IP is widely, if not all, used in smart grid, the studies of DoS attacks against TCP/IP such as [20,21] can be used as a starting point for the analysis of the smart grid as well. Authors in [22] argue for use of public key infrastructure (PKI) as the best overall security solution for smart grid. They believe that “in very large systems, PKI could be significantly more efficient than shared keys in terms of setting up and maintaining operational credential.” In the same category, So et al. [23] proposes the use of an identity-based signature and encryption scheme in order to off-load the senders of messages as much as possible. The machine identity number (ID) of the device connected in a smart grid is used to generate unique keys to encrypt and sign each individual data packet sent among devices in the grid. In [17], an integrated confidentiality and authentication scheme for AMI communication has been developed. The scheme has three steps. In the initialization step, a new smart meter is added to the AMI, and it will be authenticated with an authenticator sever via an already authenticated smart meter, namely authenticator. The next step is in-network meter reading collection through which the encryption from the first meter to the last meter, called collecting node of metering, takes place. Finally, in the third step, the control message distribution is performed from the collecting node to the first smart meter in the reverse direction of the second step. However, there are some security issues with their method; first, if the authentication smart meter is compromised, the key of the newly added smart meter will be compromised too; because according to this approach, after the new meter is authenticated, the server will send the new meter’s key to the authenticator so that the two meters can generate their keys for fulfilling a mutual authentication. Second, it has been claimed that if one meter is compromised, this will not affect the rest of AMI. However, according to this method, if the key of one meter is compromised, it will reveal not only the meter reading of its neighbor but also the readings of all the meters in AMI. A method for anonymization of smart metering data in [24] has been proposed. The idea of this work is to assign the frequent meter readings to a group of customers so that the identity of customers can be hidden. Each smart meter will have two different identities; one will be used for readings that are associated with a particular smart meter, and the other will be used for anonymous readings. The 198

N. Beigi Mohammadi et al.

advantage of this method is that it hides the individual identities, but because this method mainly relies on a third party to keep the relationship between users and unknown identities, processing by the third party may become a bottleneck. Authors in [25] present an authentication and encryption/ decryption scheme for HAN. The scheme relies on the transceivers that are attached to power outlets that communicate with HAN’s meter. The scheme uses PKI for securing the communication between appliances and HAN’s meter. Various attacks against HAN security such as jamming, appliance impersonation, replay, and non-repudiation have also been studied. The contribution of work [26] is a lossless data aggregation protocol in which there is a trade-off between security and communication performance. It is assumed that the smart meter connection to a gateway is a tree topology and the aggregation protocol would combine packets from child nodes before sending them to a parent node. This way, the overhead of repeating packet headers can be reduced. The paper also proposes a per-hop security protocol that still maintains end-to-end security. This work is one possible solution that can be used to efficiently transmit data though a tree-based network topology that does not have high interference. However, interference is inevitable in any unlicensed band and according to Thonet et al. [27], for example, only four of 16 IEEE 802.15.4 channels (15, 16, 21, and 22) fall between the often-used and non-overlapping 802.11b/g channels (1, 7, and 13). Therefore, the solution in [26] might not work unless it is modified such that it considers the existence of interference. Also, the place of their solution in the smart grid will depend on the network topology that is used in practice. A technique for evaluating the security of devices being deployed into the AMI is investigated in [15]. Authors develop an attack tree approach to guide penetration testing of multi-vendor technology classes and design a penetration testing process. This work provides a comprehensive but rather high-level classification of three types of attacks targeting AMI including DoS, energy fraud, and targeted disconnect.

5. STATE OF THE ART IN IDS FOR AMI Although threats discussed in Section 3 are required to be taken into account when designing security mechanisms, AMI lacks a reliable monitoring solution so that in case of any security breaches, the grid can detect or deter the violation. IDS acts as a second wall of defense and is necessary for protecting AMI if security mechanisms such as encryption/decryption and authentication are broken. Generally, techniques for intrusion detection are classified into three main categories: signature-based, which relies on a pre-defined set of patterns to identify attacks; anomalybased, which relies on particular models of nodes behaviors and marks nodes that deviate from these models as malicious; and specification-based, which relies on a set Security Comm. Networks 2014; 7:195–205 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

N. Beigi Mohammadi et al.

of constraints and monitors the execution of programs/ protocols with respect to these constraints [28]. One approach for designing an IDS for AMI is to leverage the existing IDS techniques that have been used in other types of networks. However, there are AMI-specific challenges that need to be aware of when designing an IDS for AMI. The IDS should be highly accurate because at the ultimate end, it deals with availability, which is considered to be the most critical aspect of smart grid [20]. Moreover, it should have a low communication and computation overhead on the network because of resourceconstrained devices in AMI. Traditional IDS mechanisms including a number of lightweight agents reporting to a central management server is not scalable. A central approach may not work for AMI networks, which possibly includes millions of nodes, because the traffic load, required storage, and computational capabilities at the central server could be overwhelming. Therefore, a distributed approach should be considered. In a distributed IDS, data processing is distributed among intermediate nodes, and only high-level data are sent to the central server [29]. Although efforts have been made to investigate the security of AMI, there are a few works that focus on proposing and designing a reliable and efficient IDS for AMI. Authors in [14] discuss the requirements and practical needs for monitoring and intrusion detection in AMI. The research made in the area of smart gird IDS and the key functional requirements of an IDS for smart grid environment have been surveyed in [30]. In [29], authors present a layered combined signature and anomaly-based IDS for HAN. Their IDS is designed for a ZigBee-based HAN that works at the physical and medium access control (MAC) layers. Their work only considers the HAN part of AMI. In [1], a specification-based IDS for AMI is proposed. While the solution in [1] relies on protocol specifications, security requirements, and security policies to detect security violations, it would be expensive to deploy such an IDS because it uses a separate sensor network to monitor the AMI. In [31], authors propose a model-based IDS working on top of the WirelessHART protocol, which is an open wireless communication standard designed to address the industrial plant application, to monitor and protect wireless process control systems. The hybrid architecture consists of a central component that collects information periodically from distributed field sensors. Their IDS monitors physical, data link, and network layer to detect malicious behavior. A detailed explanation by Roosta [31] has been provided. However, it is protocol specific and cannot be applied to AMI IDS. Authors in [12] investigate the use of WMN and the security framework for distribution network in smart grid. A response mechanism for meter network has also been proposed. As a result, to the best of our knowledge, there is no published research that specifically addresses IDS for the NAN part of AMI. In this work, an IDS that is a combination Security Comm. Networks 2014; 7:195–205 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

A framework for IDS in AMI

of anomaly-based and signature-based approaches is proposed, which considers the constraints and requirements of NAN, and it utilizes several rules to detect anomalies in the network. The IDS captures the communication and computation overhead constraints as well as the lack of a central point to install the IDS by proposing a distributed IDS that is run on some nodes that are powerful in terms of memory, computation, and the degree of connectivity.

6. NAN ARCHITECTURE Wireless mesh architecture has been the most prevailing architecture used to build NAN, which provides several advantages over the others including flexibility, minimal infrastructure, scalability, and low configuration cost [32]. Figure 3 shows a typical NAN in which smart meters are connected in an adaptive WMN and all of them can perform routing. Each node maintains a list of peers so that in case of failure of one peer, it can switch to the next available peer. Hence, redundant paths make the network more reliable. A fully redundant routing requires each smart meter to discover the best single/multi-hop possible collector in its vicinity and establish a connection with it. In case of detecting loss of connectivity, smart meters are able to re-configure themselves to re-establish the connection to the network [33]. Designing the best practical routing protocol for radio frequency (RF) mesh in the NAN has been a hot topic in the research community. Some approaches have suggested using reactive routing protocols such as ad hoc on-demand distance vector (AODV), some proposed to use proactive routing protocols such as destination-sequenced distance vector, whereas others believe that a combination of the reactive and proactive routing suits the requirement of NAN RF mesh. The work in [34] analyzes the resiliency of the NAN against

Smart meter

Collector

Figure 3. Neighborhood area network.

199

N. Beigi Mohammadi et al.

A framework for IDS in AMI

a DoS attack considering three types of routing protocols including AODV, dynamic source routing, and destination-sequenced distance vector. With the simulation results, it has been concluded that AODV outperforms others considering some performance metrics such as packet delivery ratio and average end-to-end delay. In [35], the network performance of NAN smart metering network has been evaluated as a function of size of the network, node scheduling, and polling interval. The routing algorithm used in this paper is a modified version of AODV. Because smart meters are not mobile nodes and the discovery phase is only required either when a smart meter is newly added to the network or a smart meter loses the connection to its peer toward the collector, some kind of proactive routing protocol may be more proper to fit the requirement of the NAN. Such a routing protocol should also take into account repair mechanisms when some part of the network is unstable (e.g., a smart meter loses its peer). In [36], two modifications have been proposed to 802.11s routing protocol to make the protocol appropriate for smart; modification to the calculation method of metric defined in the 802.11s and the route fluctuation prevention algorithm are suggested. Routing protocol for low power and lossy networks (RPL) is currently under development by the Internet Engineering Task Force to support various applications for low power and lossy networks such as in urban environment. RPL is a distance vector routing algorithm that uses a destination oriented directed acyclic graph (DODAG) to maintain the state of the network in which each node keeps its position in a DODAG calculating a rank to determine its relations with the root and other nodes in the directed acyclic graph (DAG). The specification of this protocol is found in [37]. Authors in [38] modify RPL for NAN by proposing a DAG rank computation to fit the requirements of NAN. In [33], RPL have been enhanced by designing self-organizing mesh solution on the basis of which smart meters can automatically discover the more suitable collectors in their vicinity, detect loss of connectivity, and re-configure themselves to connect to the NAN. Distributed autonomous depth-first routing [39] is a proactive routing algorithm Distributed autonomous depth-first routing that acts exactly the same as traditional distance vector algorithms when a network is in its normal operation. In case where topology changes frequently, it uses a lightweight control plan and uses its forwarding plane to inform the network about any link failures. In this paper, we choose a distance vector-based routing such as RPL as a suitable routing algorithm for NAN. Our justification relies on the fact that the network topology in NAN is not that dynamic and smart meters do not need to keep the synchronized map of the whole network. In addition, it may not be feasible in low-bandwidth network of smart meters to flood the whole network with any changes occurring in the topology. Our NAN IDS solution considers a static multi-hop wireless network; when network is its normal operation, a smart meter keeps using only one of its peers as its next hop unless it loses its connection to that next hop. 200

7. REALISTIC INTRUSION SCENARIOS One of the main incentives to attack smart grid is energy fraud in which attackers try to tamper with metering infrastructure so that they are not billed for the energy they consume. The attempt to disable metering-related functions falls into the DoS category of attacks. One of the important attacks that can occur in NAN is preventing meters from acting on commands such as usage queries, firmware updates, and remote disconnects [40]. Figure 4 shows a typical meter command execution attack tree. A realistic example for this type of attack is when a smart meter fails to respond to a usage query and the malicious customer takes advantage of not being billed for some amount of time. The adversary has two choices to do so, either preventing the command execution or disturbing the command from reaching the target smart meter. In the former, the adversary can either exhaust the system resource (e.g., allocating and maintaining the maximum allowed number of open connections) or by leveraging a firmware bug causing a system hang [15]. Another situation is when the adversary tampers with the forwarding of packets away from the meter by dropping traffic destined for that meter, which can happen at the link and routing layers at the back haul network (WAN) and NAN. An adversary can also prevent the packets from reaching his home smart meter by attacking a middle smart meter, which is one of the next hops of his own meter toward the utility center. Notice that the attacks targeting the WAN part of the AMI are out of scope of this paper. The main focus of this work is on the attacks that occur in NAN as a result of the en route meter nodes that may

DoS on meter command execution

Block command delivery

Drop in WAN

Drop in NAN

Interfere with packet forwarding toward meter

Exhaust meter LAN resources

Receive at spoofed meter

Figure 4. High-level meter denial-of-service (DoS) attack tree. WAN, wide area network; NAN, neighborhood area network; LAN, local area network. Security Comm. Networks 2014; 7:195–205 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

N. Beigi Mohammadi et al.

malfunction and interfere with the proper forwarding of packets (e.g., by delaying, altering, misrouting, and dropping.) These target smart meters are either spoofed or under attack, which can be detected by the proposed IDS. Denial-of-service attacks can be launched against the physical layer by using radio jamming, which may interfere with the physical channels and hinder the availability of the network. The attacker can also target the MAC protocols at the link layer by jamming only request-to-send packets. Trivial jamming, periodic jamming, and reactive jamming [41] are some examples of jamming attacks. In memory and processing exhaustion attack, the attacker imposes expensive or excessive operations to the target node and tries to use up its processing and memory. Verification of fake signature is an example of such a complex task. An attacker can also prevent the target node from entering its duty/sleep cycle by occupying it with extra transmissions [42,43]. Data injection attack is another attack that can occur in the NAN in which a compromised node tries to exhaust the bandwidth as well as the resources of its next hops. Generally, there are two types of threats to secure operation of routing protocols in the NAN. The first type of threats is compromised smart meters that legitimately participate in the routing but try to corrupt the routing function. The second kind of threats is intruders that may illegally attempt to interfere in routing protocols by impersonating the meters. In a wormhole attack, a compromised meter in area A tunnels its routing table to another compromised meter in a distant area B. The compromised node in area B makes its neighbors believe that nodes in area A are their neighbors by broadcasting routing information sent by the compromised node in area A. The compromised node in area A may drop received packets from area B or keep intercepting the received packets to do traffic analysis or route the data such that they miss some deadline, which is one sort of DoS attack. A compromised node or an impersonating node can advertise a better metric (in case of RPL, a lower rank) for reaching the collector, which will cause all the meters around it to route packets toward it. Then, by dropping these packets (blackhole attack), the attacker causes those meters’ data to be lost. The attack can be performed selectively (greyhole attack) by dropping a packet every n packets, a packet every t seconds, or a randomly selected number of the packets. Table I shows the description of threats along with corresponding layers.

8. A NAN INTRUSION DETECTION SYSTEM The proposed solution is a distributed and hierarchical IDS that utilizes a combination of both anomaly-based and signature-based methods. The fundamental reason for choosing a combination of signature-based and anomalybased methods for NAN is due to the existence of many unknown attacks that can target NAN, and the number of Security Comm. Networks 2014; 7:195–205 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

A framework for IDS in AMI

Table I. Attack description. Attack Attack 1 Attack 2 Attack 3 Attack 4 Attack 5 Attack 6

Description

Layer

Type

Signal jamming

Physical layer DoS and MAC layer Node compromise Physical layer System compromise Resource exhaustion MAC layer DoS Wormhole Network layer DoS Blackhole and Network layer DoS greyhole Data injection by Transport layer DoS compromised node

MAC, medium access control; DoS, denial of service.

such attacks may be increased as the smart grid deployment becomes more widespread. Therefore, the IDS should be capable of detecting not only existing attacks but also new attacks. We study the existing attacks and define their signatures and also investigate the normal behavior of the nodes. By combining the two feature sets, we derive decision rules to detect anomalies. Distributed approach is adopted because the metering network is resource constrained; smart meters have limited computation power, and all of them cannot spend time and energy monitoring their neighbors. Moreover, if all smart meters are to run IDS, they will be too busy to send monitoring messages to their supervisor nodes, and it is not possible in the low-bandwidth network that exists between smart meters. As a result, the proposed solution requires only a subset of nodes to run IDS. The proposed IDS embraces three different kinds of IDS nodes, namely, field IDS, WAN IDS, and central IDS (Figure 5). Field IDSs are run on all the collectors as well as some smart meters that have extra memory and computation power compared with the ordinary smart meters so that they can be capable of monitoring their neighbors in addition to normal functions. Our IDS requires the following: (i) every immediate next hop of a smart meter toward collectors should be equipped with field IDS, and (ii) field IDS nodes should be tamper-resistant so that they cannot be compromised. Field IDSs are responsible for passive monitoring of the communication of the neighbor smart meters to collect trace data. They provide reports of detected attacks to central IDS at the utility center. Another option is that field IDSs send detection messages to gateways, which acts as bridge between NAN and WAN residing in the WAN (we refer to these gateways as WAN gateways). WAN gateways have sufficient computation power and memory, and they can run WAN IDS. WAN IDS is responsible for the incoming and outgoing traffic from and to collectors, and in case of detecting an intrusion, they report the malicious nodes to the central IDS. The reason for having IDS run on the WAN gateway is that in case field IDS cannot derive a decision about suspicious nodes, WAN IDS, instead of central IDS, can help field IDS to detect specific intrusions at a faster pace. 201

N. Beigi Mohammadi et al.

A framework for IDS in AMI

IDS

Cellular Optical WiMax IDS

Utility Center

IDS IDS

Smart meter with field IDS

Collector with field IDS

Smart meters

WAN gateway with WAN IDS

Figure 5. Neighborhood area network intrusion detection system (IDS). WAN, wide area network.

Central IDS is applied in the utility center which is responsible for making global decisions based on alarms and notifications coming from the WAN and field IDSs. The proposed IDS has the following three phases: (1) Data collection Phase: In this phase, field IDSs listen to the communication of neighbor nodes and check them to see if there is any abnormality in their communication behavior. WAN IDSs also check the communication coming from the collectors seeking for unusual activities. Central IDSs also check the reports coming from WAN gateways and field IDSs and make sure about the healthiness of the communications. The communication information about each neighbor can include, but not limit to, number of transmission attempts, number of ACKs received, number of received packets, and so on. (2) Compliance Check Phase: IDS nodes extract the data from phase 1 and perform compliance check with the normal behavior and the signature of attacks. (3) Inference Phase: After completing phase 2, the results are sent to an inference part to derive the final decision in order to see whether the detected anomaly is a malicious attack or it is just a transient failure. To make accurate decisions in this phase, the IDS node must keep the history of the monitored nodes to distinguish between occasional network failures from real attacks. When an intrusion is detected, the system should take appropriate actions in response to an attack. Passive response 202

is typical in the IDS in which the information is logged of and there is also a real-time notification. However, because NAN comprises wireless networks and the devices are located in insecure places, there should be an active response in place. If detected threat reaches a certain confidence level, required counter measures should be taken. For instance, in case of jamming attack to the MAC layer, the central office in a substation will send a control message to the target meter to change its transmission channel. Note that it is assumed that the communications between nodes are secure and IDS nodes are mutually authenticated using authentication mechanisms such as digital signatures. It is also assumed that there is an access control list in which all nodes have unique link keys associated with their unique IDs. 8.1. Decision rules In this section, we discuss anomaly detection and decision rules. A feature set is selected from the intrinsic and observable characteristics of communications to distinguish normalities from anomalies. • Rule 1: The IDS node should monitor the pattern of data traffic that its neighbors transmit. Because the pattern size of communication messages (e.g., firmware updates, usage queries and responses, and offers) between smart meters and utility center is defined, any exchanged data between smart meters and utility center should be similar to the expected model. Any volume of data beyond the determined pattern can be tagged as a suspicious event. If the number of suspicious messages Security Comm. Networks 2014; 7:195–205 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

N. Beigi Mohammadi et al.

•

•

•

•

exceeds a certain threshold, IDS node should raise a flag indicating a potential threat. An example of such an attack is data injection attack, which tries to flood the network. Such a rule can be implemented at field IDSs, WAN IDSs, and central IDS. Rule 2: Transmission power level is another parameter that can be used to detect a signal jamming attack at the physical layer because the level of power for transmission is a pre-configurable parameter for deployed nodes [31]. The IDS node can monitor its neighbors to detect any deviation from the acceptable levels. Such a rule can be implemented at field IDS because central IDS cannot monitor such a feature. Rule 3: Field IDSs should check the interval of transmission attempts; queries and reports are sent within certain intervals (e.g., meter reading are sent every 15 min with a defined pattern). Therefore, if a smart meter violates such a pattern, it should be watched closely. Although alarm messages are sent without any pre-defined intervals, sending such messages within short intervals could be a sign of intrusion in which the compromised node tries to flood the network to exhausts the resources. Rule 4: MAC response time is another characteristic that can be monitored by the field IDS. In IEEE 802.11, for example, the receiver replies with an ACK packet to the sender after it receives a unicast packet at the MAC layer to let the sender know that the transmission was successful. If the ACK is not received and the transmission retries exceed the maximum specified bound, a MAC layer failure will be reported to the network layer [38]. When the utility center issues a query to a smart meter, the smart meter should transmit a report by a certain delay through its next hop to the utility center. If the smart meter does not respond in the expected time frame, the field IDS should tag the smart meter node as suspicious and watch for more such anomalies. An example is when the smart meter is under jamming or data injection attack and cannot transmit the data by the expected time out. Rule 5: The central IDS should look for normal behavior of smart meter applications for sending ACKs. Only the central IDS can check this feature because the application data is encrypted in the transmission layer (e.g., using secure sockets layer) and it can be decrypted only at the utility center. Therefore, if there are a large number of missing ACKs and re-transmissions, the central IDS should tag the smart meter as suspicious. The central IDS launches an investigation to identify the source of malicious activity using lower-level IDS nodes. By probing the nodes along the path to the suspicious node, the source of problem will be detected. An adversarial case is where one of the next hops of the smart meter is intentionally dropping the packets (i.e., blackhole attack) destined for that meter or the target meter is under attacks and cannot respond. Another situation is when there is a wormhole in the path from

Security Comm. Networks 2014; 7:195–205 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

A framework for IDS in AMI

Table II. Threats and Corresponding Rules.

Attack Attack Attack Attack Attack Attack

1 2 3 4 5 6

R1

R2

R3

R4

R5

R6

– √ √ – – √

√ √ – – – –

– √ √ – – √

– √ √ – – –

√ √ – √ √ √

– √ – √ – –

the target meter to the substation. When the substation observes that a specific meter is not responding, it may send a message to collector IDS asking the collector to investigate the meters along the path to find nodes that are violating the proper forwarding. Because the collector keeps the record of the connected meter IDs, it can warn neighboring IDS field nodes about IDs of suspicious nodes that communicate through it. • Rule 6: WAN and field IDS should monitor the request/reply pattern coming from the central office and smart meters. Requests must only arrive from the central office and responses must be directed to the central office. If a request is coming from another source or the smart meter is trying to send the packets somewhere different from the central office, IDS nodes should alarm and notify the central office. An example of such an attack is when the compromised node tries to route its traffic to some other nodes, which may be possibly participating in a wormhole attack and performing traffic analysis or reply attacks. Table II depicts the IDS rules and corresponding attacks discussed in Section 7. Attacks detected by matching rules are checked. For example, attack 1, which is signal jamming attack, can be detected by R2 and R5, which monitor the transmission power level and missing ACKs, respectively. In the former, the detected smart meter is jamming the network, whereas the latter detects a smart meter that is under jamming attack.

9. CONCLUSION As a critical infrastructure in smart grid, AMI requires the highest level of security and a comprehensive architecture with security built in. Although deploying AMI becomes more and more widespread, the security threats also grow in parallel even at a faster pace. Security measures and intrusion detection techniques are of paramount importance to build a secure and reliable AMI. In this paper, we presented security challenges, existing security measures, and IDS solutions for AMI. We proposed a combined anomaly and signature-based IDS solution to monitor the smart metering communication network by considering various attacks targeting physical, MAC, transport, and network layers. As future work, we intend to simulate our proposed 203

A framework for IDS in AMI

IDS and observe how it performs in terms of false positive and false negative alarms. In addition, we plan on taking into account the attacks specific to RPL routing algorithm in the smart meter network.

ACKNOWLEDGEMENT This work was supported by the NSERC CRD project funded by Toronto Hydro Electric System Limited (THESL).

REFERENCES 1. Berthier R, Sanders WH. Specification-based intrusion detection for advanced metering infrastructures. IEEE 17th Pacific Rim International Symposium on Dependable Computing (PRDC), 2011; 184–193. 2. Parks RC. Advanced metering infrastructure security considerations, 2007. 3. Cleveland FM. Cyber security issues for advanced metering infrastructure (AMI). IEEE Power and Energy Society General Meeting-Conversion and Delivery of Electrical Energy in the 21st Century, 2008; 1–5. 4. Rahimi F, Ipakchi A. Demand response as a market resource under the smart grid paradigm. IEEE Transactions on Smart Grid Jun 2010; 1(1): 82–88. 5. Li F, Qiao W, Sun H, et al. Smart transmission grid: vision and framework. IEEE Transactions on Smart Grid Sep 2010; 1(2): 168–177. 6. Wang W, Xu Y, Khanna M. A survey on the communication architectures in smart grid. Computer Networks 2011; 55(15): 3604–3629. 7. Fadlullah ZM, Fouda MM, Kato N, Takeuchi A, Iwasaki N, Nozaki Y. Toward intelligent machine-tomachine communications in smart grid. IEEE Communications Magazine Apr 2011; 49(4): 60–65. 8. Sauter T, Lobashov M. End-to-end communication architecture for smart grids. IEEE Transactions on Industrial Electronics Apr 2011; 58(4): 1218–1228. 9. Introduction to NISTIR 7628 guidelines for smart grid cyber security, Sep 2010. 10. Report to NIST on smart grid interoperability standards roadmap EPRI, Jun 2009. 11. Bennett C, Highfill D. Networking AMI smart meters. IEEE Conference on Energy, 2008; 1–8. 12. Wang X, Yi P. Security framework for wireless communications in smart distribution grid. IEEE Transactions on Smart Grid Dec 2011; 2(4): 809–818. 13. Parikh PP, Kanabar MG, Sidhu TS. Opportunities and challenges of wireless communication technologies for smart grid applications. IEEE Power and Energy Society General Meeting, 2010; 1–7. 204

N. Beigi Mohammadi et al.

14. Berthier R, Sanders WH, Khurana H. Intrusion detection for advanced metering infrastructures: requirements and architectural directions. First IEEE International Conference on Smart Grid Communications (SmartGridComm), 2010; 350–355. 15. McLaughlin S, Podkuiko D, Miadzvezhanka S, Delozier A, McDaniel P. Multi-vendor penetration testing in the advanced metering infrastructure. Proceedings of the 26th Annual Computer Security Applications Conference, 2010; 107–116. 16. McDaniel P, McLaughlin S. Security and privacy challenges in the smart grid. IEEE Security Privacy Jun 2009; 7(3): 75–77. 17. Yan Y, Qian Y, Sharif H. A secure and reliable innetwork collaborative communication scheme for advanced metering infrastructure in smart grid. IEEE Wireless Communications and Networking Conference (WCNC), 2011; 909–914. 18. Lu Z, Lu X, Wang W, Wang C. Review and evaluation of security threats on the communication networks in the smart grid. Military Communication Conference, MILCOM, 2010; 1830–1835. 19. LeMay M, Gunter C. Cumulative attestation kernels for embedded systems. In Computer Security, ESORICS. Springer: Berlin, Heidelberg, 2009; 655–670. 20. Schuba CL, Krsul IV, Kuhn MG, Spafford EH, Sundaram A, Zamboni D. Analysis of a denial of service attack on tcp. IEEE Symposium on Security and Privacy, Proceedings, 1997; 208–223. 21. Yaar A, Perrig A, Song D. Pi: a path identification mechanism to defend against DDoS attacks. Symposium on Security and Privacy, Proceedings, 2003; 93–107. 22. Metke AR, Ekl RL. Security technology for smart grid networks. IEEE Transactions on Smart Grid Jun 2010; 1(1): 99–107. 23. So HK, Kwok SHM, Lam EY, Lui K. Zero-configuration identity-based signcryption scheme for smart grid. First IEEE International Conference on Smart Grid Communications (SmartGridComm), 2010; 321–326. 24. Efthymiou C, Kalogridis G. Smart grid privacy via anonymization of smart metering data. First IEEE International Conference on Smart Grid Communications (SmartGridComm), 2010; 238–243. 25. Aravinthan V, Namboodiri V, Sunku S, Jewell W. Wireless AMI application and security for controlled home area networks. IEEE Power and Energy Society General Meeting, 2011; 1–8. 26. Bartoli A, Hernandez-Soriano J, Dohler M, Kountouris A, Barthel D. Secure lossless aggregation for smart grid m2m networks. First IEEE International Conference on Smart Grid Communications (SmartGridComm), 2010; 333–338. Security Comm. Networks 2014; 7:195–205 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

N. Beigi Mohammadi et al.

27. Thonet G, Allard-Jacquin P, Colle P. ZigBee–WiFi coexistence. Technical Report, Schnider Electric, Apr 2008. 28. Bishop M. Introduction to Computer Security. AddisonWesley: Boston, MA, 2004. 29. Jokar P, Nicanfar H, Leung V. Specification-based intrusion detection for home area networks in smart grids. IEEE International Conference on Smart Grid Communications (SmartGridComm), 2011; 208–213. 30. Kush N, Foo E, Ahmed E, Ahmed I, Clark A. Gap analysis of intrusion detection in smart grids. In 2nd International Cyber Resilience Conference, Valli C (ed.). Secau-Security Research Centre, 2011; 38–46. 31. Roosta T, Nilsson DK, Lindqvist U, Valdes A. An intrusion detection system for wireless process control systems. 5th IEEE International Conference on Mobile Ad Hoc and Sensor Systems, MASS, 2008; 866–872. 32. Iyer G, Agrawal P, Monnerie E, Cardozo RS. Performance analysis of wireless mesh routing protocols for smart utility networks. IEEE International Conference on Smart Grid Communications (SmartGridComm), 2011; 114–119. 33. Kulkarni P, Gormus S, Fan Z, Motz B. A self-organising mesh networking solution based on enhanced RPL for smart metering communications. IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM), 2011; 1–6. 34. Aimajali A, Viswanathan A, Neuman C. Analyzing resiliency of the smart grid communication architectures under cyber attack. 5th Workshop on Cyber Security Experimentation and Test, 2012. 35. Bennett C, Wicker SB. Decreased time delay and security enhancement recommendations for AMI smart meter networks. Innovative Smart Grid Technologies (ISGT), 2010; 1–6.

Security Comm. Networks 2014; 7:195–205 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

A framework for IDS in AMI

36. Jung J, Lim K, Kim J, Ko Y, Kim Y, Lee S. Improving IEEE 802.11s wireless mesh networks for reliable routing in the smart grid infrastructure. IEEE International Conference on Communications Workshops (ICC), 2011; 1–5. 37. Task force (IETF) routing over low power IE, lossy networks (ROLL) working group. Routing over low power and lossy networks (RPL). Technical Report, Dec 2010. 38. Wang D, Tao Z, Zhang J, Abouzeid AA. RPL based routing for advanced metering infrastructure in smart grid. IEEE International Conference on Communications Workshops (ICC), 2010; 1–6. 39. Iwao T, Yamada K, Yura M, et al. Dynamic data forwarding in wireless mesh networks. First IEEE International Conference on Smart Grid Communications (SmartGridComm), 2010; 385–390. 40. Beigi-Mohammadi N, Khazaei H, Misic J, Misic VB. On intrusion detection in a neighborhood area network in the smart grid. Journal of Information Technology and Applications (JITA) Jun 2012; 2(1): 7–13. 41. Blum J, Neiswender A, Eskandarian A. Denial of service attacks on inter-vehicle communication networks. International IEEE Conference on Intelligent Transportation Systems, ITSC, 2008; 797–802. 42. Lopez J, Roman R, Alcaraz C. Analysis of security threats, requirements, technologies and standards in wireless sensor networks. In Foundations of Security Analysis and Design V, vol. 5705. Springer: Berlin, Heidelberg, 2009; 289–338. 43. Fadlullah Z, Fouda M, Kato N, Shen X, Nozaki Y. An early warning system against malicious activities for smart grid communications. IEEE Network Oct 2011; 25(5): 50–55.

205