Hardware-based IDS for AMI Devices
Sandia National Laboratories
Many embedded system devices used in critical infrastructure applications are easily accessible in the supply chain and can be tampered with or altered such that the authentication of the devices cannot be assured. The installation of a hardware-based backdoor gives a cyber-attacker unlimited eavesdropping access to logic-level communication within a Smart Grid device and is virtually undetectable by state-of-the art intrusion detection systems. In addition, a hardware-based backdoor can be inserted during the manufacturing processes or deployment lifecycle. A one-time verification is insufficient. This research activity looked at ways to identify such attacks at the embedded system board level, while keeping in mind the constraints of manufacturing cost and normal system performance. This research also looked at the supply chain as a cybersecurity system-level problem, looking for ways to bridge manufacturing practices and lifecycle information assurance. More specifically, the objectives were to identify the electrical characteristics of hardware-based, logic-level attacks; derive a hardware detection algorithm that could be scaled to different communication bus speeds; identify nonlinear circuits that provide a differential comparison between normal inter-chip communication and unauthorized use during a hardware-based attack, without the use of stored “secret” values; and study the analog characteristics of low-cost circuit components to determine if normal manufacturing process variance is enough to create unique hardware signatures that are difficult to replicate. We created the Smart Meter Research Platform to enable embedded system security research, and completed an empirical model of hardware-intruder electrical characteristics from 80 million measured data points. We found that signatures of various intruders are distinct, and that an intrusion detection system can accurately distinguish among several varieties of hardware intruders at 89% accuracy with a non-optimized algorithm (i.e., the accuracy can easily be improved). Our approach provides a high-resolution view of the security status of AMI devices and systems with low impact on system performance; it is low-cost and can easily be integrated into new Smart Grid devices.
AMI Hardware Intrusion: Demo of an advanced metering infrastructure hardware intrusion detection presented by Nathan Edwards during the TCIPG Industry Workshop in November 2011.