Malware propagation in smart grid monocultures

Malware propagation in smart grid monocultures ORIGINALARBEIT Elektrotechnik & Informationstechnik (2018) 135/3: 264–269. https://doi.org/10.1007/s00502-018-0616-5 Malware propagation in smart grid monocultures P. Eder-Neuhauser, T. Zseby, J. Fabini Smart power grids require a communication infrastructure to collect sensor data and to send control commands. The common trend for cost reduction influences the architecture, implementation, networking, and operation of smart grid devices. Whereas hardware and software reuse are imperative for vendors to lower device costs, utility companies substantially decrease their operational costs by deploying a homogeneous device base. Thousands of smart meters that feature identical hardware, firmware, and software, are one main prerequisite for automated maintenance, support, and device replacement. However, these cost savings create optimum conditions for malware propagation and infection in the grids’ control networks. In this paper we show how monocultures in device types can lead to critical situations if malware exploits a common vulnerability. Although we assume that classical defensive measures, e.g., firewalls, virtual networks, and intrusion detection, are in place, we argue that new or unpatched vulnerabilities cannot be ruled out and may lead to a very fast distribution of malware in large parts of the smart grids’ control network. Besides showing how fast malware can spread in device monocultures, we also discuss effective defensive measures that can support utility companies in preventing or containing malware distribution. Keywords: malware attacks; smart grids; communication networks; network security Malware-Ausbreitung in Smart Grid-Monokulturen. Intelligente Stromnetze benötigen Kommunikationstechnologien, um Sensordaten und Kontrollinformationen zu übertragen. Der mo- dulare Aufbau von Hardware, Firmware und Software sowie deren teilweise Wiederverwendung in verschiedenen Komponenten des Smart Grids ermöglichen eine Senkung der Herstellungs- und Investitionskosten. Je geringer die Anzahl ausgerollter Hardware-, Firmware- und Softwareversionen im Feld ist, desto geringer sind die zu erwartenden Betriebskosten wie etwa für automatisierte Updates, Gerätewartung, Geräteersatz und Schulung. Diese finanziellen Anreize haben eine äußerst homogene Gerätebasis im Smart Grid zur Folge. Das führt zu optimalen Bedingungen für die Ausbreitung von Malware in Smart Grid-Kommunikationsnetzen. Schlüsselwörter: Malware-Attacken; Smart Grids; Kommunikationsnetze; Netzwerksicherheit Received February 19, 2018, accepted May 18, 2018, published online June 5, 2018 © The Author(s) 2018 1. Introduction [11, 12], confirm that as little as sharing the same processor family Modern smart grids consist of numerous devices that must be man- can result in common vulnerabilities of distinct devices. aged and controlled. Commonly one single authority, the utility Network segmentation can help to limit malware spreading once company, administrates a huge number of field devices through its a device has been compromised. Nevertheless, it may fail, e.g., due control centers. However, this huge number contrasts with only few to misconfigured firewalls, or unforeseen propagation paths. This deployed device types like, e.g., one smart meter type and one gate- can have catastrophic consequences if malware propagation re- way type for a specific subnet. Reasons for deploying only few de- mains undetected and malware can roam through an entire pop- vice types include, but are not limited to (a) requirements of a par- ulation of nodes in critical infrastructures. ticular grid operator that are fulfilled by few vendors and devices, The main contributions of this paper include a model on how (b) proprietary protocols or extensions that question interoperabil- malware propagates in critical infrastructure monocultures if net- ity, (c) national regulations that lead to different feature sets, and work segmentation fails. We consider the stages that malware will (d) maintenance, replacement and cost considerations. For instance transition through while infecting the key points in the network and national regulations constrain the minimum reading intervals, the the countermeasures that utilities can adopt to defend themselves ability to switch power off and on remotely, and many other fea- tures of smart meters. Moreover, testing new firmware releases for during these stages. The proposed attack model considers three rep- these smart meters on functionality, interoperability, or compliance resentative malware categories and discusses their impact in critical with national regulations is a demanding task in terms of time, ef- infrastructures. The findings are based on simulations and results are fort, and cost. This aggregation of social, technical, and legislative reasons result in utilities creating monocultures or groups of mono- Eder-Neuhauser, Peter, TU Wien, Institute of Telecommunications, Gußhausstraße cultures in their network. This offers unique incentives and opportu- 25/E389, 1040 Vienna, Austria (E-mail: peter.eder-neuhauser@nt.tuwien.ac.at); Zseby, nities for attackers who can exploit one single vulnerability, or very Tanja, TU Wien, Institute of Telecommunications, Gußhausstraße 25/E389, 1040 Vienna, similar vulnerabilities in common device types or reused software Austria (E-mail: tanja.zseby@tuwien.ac.at); Fabini, Joachim, TU Wien, Institute of frameworks across the entire hierarchy to infect, control, and abuse Telecommunications, Gußhausstraße 25/E389, 1040 Vienna, Austria (E-mail: joachim.fabini@tuwien.ac.at) a huge set of devices. For instance, the recent Spectre attacks, cf. 264 heft 3.2018 The Author(s) e&i elektrotechnik und informationstechnik P. Eder-Neuhauser et al. Malware propagation in smart grid monocultures ORIGINALARBEIT All nodes can initiate the communication to the gateway and the gateway can poll LL-nodes for additional data or push firmware up- dates. Figure 2 shows the legitimate communication and also ille- gitimate communication of infected nodes that are targeting other nodes in their own network. Communication attempts across the infrastructure should be mitigated with appropriate defense mea- sures, e.g., firewalls or intrusion detection systems. But these sys- tems can sometimes fail because of technological constraints or vul- nerabilities in the network protocol stack like, e.g., in the case of wireless ad-hoc networks. Fig. 1. Network Topology of 2 networks, connected through a gate- Moreover, active scanning activities by infected LL-nodes can be detected at the gateway if it is capable of intrusion detection func- way tions and listening for anomalous traffic. 3. Attack model presented using an exemplary simulation run for a hypothetical but Network segmentation is crucial to prevent malware from spread- representative topology. ing in the network. One example of a rogue broadcast message This paper is structured as follows. Section 2 introduces the pro- that originated inside a gas grid control network, proliferating into posed network topology and the corresponding communication a power grid control network and resulting in a denial of service, model. The attack model is discussed in Sect. 3. We simulate mal- is presented in [2]. Although this example was an accident and ware propagation using one example for a monoculture network not an intentional malicious attack, it shows that improperly seg- (described in Sect. 4) and discuss the respective failure of network mented networks can, in this case by a configuration error, lead to segmentation in the results in Sect. 5. Section 6 concludes the paper. large-scale node failure and possibly to catastrophic consequences. In theory a gateway should strictly segment the two networks but 2. Network topology and communication model the ML-node may be affected by vulnerabilities or misconfiguration, Figure 1 illustrates the network topology as basis for subsequent dis- too. cussions and simulations. It consists of two networks, with each 49 In our work we simulate malware propagation that could shut low level (LL) nodes (i.e., 2 · 7 · 7 nodes in a symmetric setup, roughly down all nodes or mount similar denial of service attacks if all nodes representing two city blocks) and one connecting gateway. The LL- are infected. nodes represent the last controlling instance that operators can ac- Our attack model is based on a malware type named endemic cess before entering customers’ premises. We argue that with the malware, as introduced in [6]. We argue that the assumption of such evolution of Smart Grids the LL-nodes will act as proxies and inter- automated self-propagating malware is reasonable because manual faces through which operators can control services such as decen- infection of all nodes in a large smart grid does not scale well [5]. tralized power management or demand side management within Endemic malware aggregates capabilities of advanced existing mal- customer’s premises. ware types that are capable of extracting network information from the infected host, optimize the scanning strategy to the network The connecting gateway node represents a local control entity setup, and obfuscate the propagation behavior. It uses a permuta- that is located in a central location such as the transformer station tion hitlist scanning strategy that copies the target hitlist including and is in charge of the management of data flows. Once the gate- the scanned nodes among malware children in order to minimize re- way is infected an attacker could enter the overlain control network scans (i.e., scanning nodes again that already have been scanned). (not simulated) of the utility company. Endemic malware is highly modular, requires a high level of devel- Our setup represents two subnets of different energy infrastruc- opment effort, and therefore could also have the capability to uti- tures which are connected via network equipment in order to bene- lize multiple vulnerabilities to infect nodes. Moreover, it opens dedi- fit from shared resources and control technologies. Such a scenario, cated connections to its victims, making the malware detectable by of interconnecting different networks for optimizing control is com- connection-based anomaly detection in the network. monly found in the literature, for instance in [2, 4, 7, 13]. Network Nevertheless, capabilities that enable the malware to stay unde- A and B could represent either two power grids or grids for different tected on a host for a period of time make endemic malware a utilities, e.g., network A could represent a gas grid and network B a challenging adversary. Therefore, we assume that host based de- power grid. fenses, e.g., virus scanning software may not detect this advanced Our sample topology contains only a small number of devices malware type, as was the case initially with the Stuxnet worm and compared to typical large grid installations, which, e.g., include ap- its cousins [1]. The goal of endemic malware in our simulation is to proximatively 1.6 million smart meters for the city of Vienna, Austria infect all nodes in both infrastructures to commence different attack [17], but is sufficient to show the effects of monocultures in smart types, e.g., shutting down all nodes, shutting down selected nodes, grids. or building a botnet for denial of service attacks, cf. [6]. Infected Figure 2 illustrates the used communication model with legitimate field nodes can disguise themselves as gateways toward other field and malicious communication that is sent to the gateway. LL-nodes nodes to infect victims laterally. A similar behavior has been observed can only communicate with the gateway (a medium level (ML) node) for instance in the Flame malware [10]. The endemic malware is de- but not with other LL-nodes. The gateway is aggregating and ana- scribed in detail in [6]. lyzing all data, thus, there is no need to send data from one LL-node We use the endemic malware as basis for our simulations. Addi- to another in the other network. The gateway does not route infor- tionally, as a comparison we show the capabilities of two other mal- mation to another destination in the other network, except to the ware types, namely, pandemic and contagion malware, cf. [6], and control center which is positioned hierarchically above the ML-node, compare them with the features of the endemic malware. However, being outside of the simulation scope. we do not simulate them. Juni 2018 135. Jahrgang The Author(s) heft 3.2018 265 ORIGINALARBEIT P. Eder-Neuhauser et al. Malware propagation in smart grid monocultures Fig. 2. Communication traffic and patterns Furthermore, we discuss pandemic malware which represents ag- located from the diagram origin. Therefore, assuming equal weight- gressive malware types that use random scanning to discover new ing for all features, a larger area represents a greater threat to de- victims in a brute-force manner, enabling defenders to quickly iden- fenders. tify it in the network. Pandemic malware implementation lacks so- General features, e.g., the development effort shows that pan- phisticated features, is generally simple and involves a relatively low demic malware is simple, therefore, accessible to a larger group development effort. These characteristics facilitate its use by a broad compared to the more advanced malware types. Endemic and con- range of user groups. With the source code of some variants [14]be- tagion malware require increased resources, which may be a draw- ing accessible on the Internet as a template, even less skilled attack- back for the attacker, thus, a benefit for defenders. Moreover, in- ers can modify and implement their own version. However, besides creased development effort coincides with advanced on-board de- the aggressive scanning, victims are contacted by opening a dedi- fense features against detection that are available in modular ex- cated connection, which should also be detectable by connection- tensions. This increased effort pays off and represents a benefit for based intrusion detection. attackers in terms of improved attack capabilities. The last malware type, called Contagion malware,represents Increased stealthiness features, which support reduced network highly advanced malware that obfuscates all aspects of its presence, scanning and stealthy malware propagation in networks, on one cf. [6]. Contagion malware exploits application layer vulnerabilities hand decrease propagation speed and frequently coincide with in- [8] to propagate hidden within established legitimate TCP connec- creased development effort. On the other hand, advanced on-board tions instead of opening new dedicated connections to the victims. capabilities enable the malware to optimize resource consumption in This is why it is invisible to connection-based anomaly detection. the network and/or on the host, supporting advanced features like, Such a malware requires defenders to inspect every legitimate con- e.g., additional attack vectors, obfuscation capabilities, or advanced nection for anomalies, e.g., anomalous peaks of packets, anomalous scanning strategies. The insert in Fig. 3 differentiates between gen- packet timings, or anomalous packet size variations inside a flow. eral features, network domain features, and the host domain fea- With encrypted communication channels at network or transport tures. layer, such anomaly detection becomes a challenging task. An additional malware categorization is with respect to pre- We define the starting point of the infection at one compromised infection, the initial propagation phase, vs. post-infection, the op- LL-node as patient zero. It represents, e.g., an infected smart meter, erational phase. Pre-infection includes all actions that happen in the which can initially be compromised via unpatched or new vulnerabil- first few moments of a malware lifetime. This is the instant in time ities. We assume that the utility operates a device monoculture and when the malware must propagate itself autonomously in a net- that an exploitable set of similar vulnerabilities exists throughout the work, as simulated in our example. This step is intentionally auto- entire population and across all hierarchy levels of the deployed de- mated due to the assumed large scale smart grid. vices. This is typically the case when all devices are manufactured by The operational phase, however, represents the malware’s capa- one vendor and operate the same firmware release, or reuse parts of bility to stay hidden (unobserved) and persistent for an extended the same hardware or software like, e.g., operating system, software period. This includes low CPU usage by the malware such that de- development framework, or common libraries. Recently reported fending software may not identify CPU overload for a system that is vulnerabilities, which have persisted over generations of CPUs (cf. supposed to operate within specifications. Failure of the malware to [11, 12]) confirm that exploitable hardware monocultures are highly do so opens opportunities for defending software that can detect realistic assumptions in today’s systems. The alarming conclusion is either processes on the host that act suspiciously or excess network that a sufficient condition for the establishment of a huge cross- traffic for malware command and control (C&C) or propagation ac- vendor device monoculture involves as little as two smart meter tivities. vendors to use the same CPU family in their product designs. Our Other host based features that correlate well with the develop- fictional vulnerability affects all network nodes and allows remote ment effort include the malware’s payload structure. A monomor- code execution and administrator rights upon infection. phic payload represents a simple construct that may change in size Figure 3 illustrates the different capabilities and characteristics of but produces similar signatures. Therefore, it can be detected reliably pandemic (yellow), endemic (blue), and contagion malware (red), as whenever heuristic signatures are available. A polymorphic payload introduced in [6]. complicates detection by scrambling its shape and size through en- The figure depicts features, characteristics, capabilities, and par- cryption. Still, decrypted payloads will produce identical signatures ticular strengths of the different malware types. The more sophisti- on the local drive of the host, being detectable by heuristic meth- cated a malware feature, the more distant the corresponding point is ods. Malware featuring metamorphic payload requires the higher 266 heft 3.2018 The Author(s) e&i elektrotechnik und informationstechnik P. Eder-Neuhauser et al. Malware propagation in smart grid monocultures ORIGINALARBEIT Fig. 3. A threat matrix for smart grid enabled malware, its capabilities and defensive efforts development effort, varying in size, shape, encoding, and encryp- too, as detailed in [6]. We omit simulations of the pandemic and tion. Moreover, recompilation on the host system can be used to contagion malware types but discuss the differences between the obfuscate any trace of the payload’s presence, cf. [9]. three malware types. We use these three malware types, cf. [6], as the starting base First, network segmentation, by e.g., firewalls or virtual networks, and simulate one example of the endemic malware. is often used as an effective measure to contain malware propaga- tion, cf. [6]. In case proactive measures fail to protect the gateway, 4. Simulation model e.g., because of a new or unpatched vulnerability, both parts of the Our simulations are based on the ns3 network simulation environ- network may be affected. Monocultures therefore can support mal- ment [15], version 3.26. We simulate two mesh networks that use ware propagation. Figure 4 shows a simulation of two networks of the Optimized Link State Routing (OLSR) protocol [16] for lower layer the same size, i.e., each network has 49 nodes. Since this simulation routing. The two mesh networks are connected via a gateway, which is only an example, the results are specific to the chosen network has two network interfaces, one for each network, whereas each size and parameters. LL-node has one single network interface. At IP layer, the LL-nodes Five key events in the simulation time-line in Fig. 4 characterize are supposed to communicate only with the gateway interface, al- any simulation run. Parameters that influence the timing of these though messages may pass several OLSR nodes during the lower- events include malware behavior, network size and network topol- layer routing process. ogy. When computing the timing of these events for distinct mal- Our malware model consists of a self-carried propagation model ware types and/or for distinct networks, the results can help to including the dropper and the payload which is unpacked on the compare the performance of specific malware in specific network infected host nodes [6]. settings. In particular, the timings can help to rate and compare the robustness of specific network topologies when attacked by specific 5. Network segmentation and monocultures malware types. This section discusses the failure of network segmentation measures These five key events are: and elaborates on the drawbacks of homogeneous infrastructures, i.e., monocultures. The simulation is restricted to endemic malware, • Patient zero: Infection time of the first node, by definition at sim- results and conclusions being applicable to other malware types, ulation start. Juni 2018 135. Jahrgang The Author(s) heft 3.2018 267 ORIGINALARBEIT P. Eder-Neuhauser et al. Malware propagation in smart grid monocultures Fig. 4. Network segmentation and monocultures • Infected gateway interface A: Up to this point, infected nodes in separating such infrastructure networks from any Internet facing ser- network A are scanning for the gateway, infecting several local vices may prevent malware attacks, yet, cannot provide any guaran- nodes in the process. Once the gateway is infected lateral propa- tee because field devices can still be infected manually. gation into network B is possible if the corresponding network in- Depending on its criticality, an importance factor could be as- signed to these infrastructures. E.g., a power grid outage having the terface of the gateway can be utilized. Already 20% of the nodes most severe consequences in terms of impact, may be assigned the in network A are infected, i.e., 10% of all nodes in both networks. highest priority to the power grid. Networks with higher priorities • Infected gateway interface B: The foothold in the target network should, additionally to increased protective measures, be operated B is established, i.e., the gateway is fully infected (interface A and from inside out [3]. This means that control of critical components, B) and scanning in network B can commence. e.g., the firewall or IDS, must not be delegated to a central con- • Network A fully infected: Full infection of network A is accom- trol entity that is located outside of the critical network such as a plished, i.e., 50% of all nodes in the whole setup. Assuming de- controller instance that is connected to the enterprise network. An vices in network B to feature the same vulnerability, the malware attacker that manages to control this instance, also controls all con- already started infecting network B. In total (network A and B) nected, subjacent, critical networks. 77% of all nodes are infected. In the following we elaborate on the differences of endemic mal- • Network B fully infected: Full infection of both networks (100% of ware to pandemic and contagion malware. all nodes) is achieved. All types of attacks (e.g., selective disruption Pandemic malware has a more aggressive scanning strategy than or destruction, full disruption, etc.) can commence against both endemic malware, thus, is more likely to be detected by intrusion or networks A and B. anomaly detection systems. Pandemic malware has less advanced In case the gateway is capable of preventing the lateral propa- features due to the low development effort and should be defeated gation of malware into network B, the potential damage would be by defensive measures that are already in place to protect from en- reduced to a smaller set of nodes, in our case to 50% (all nodes of demic malware. network A). Although evident in this scenario, we emphasize once Contagion malware on the other hand is using hidden communi- more the importance of properly implementing defensive measures cation inside legitimate network flows, does not scan the network in such neuralgic nodes in the network setup. actively, and implements advanced on-board features. Compared to Monocultures can produce challenging vulnerabilities for a large endemic malware, contagion malware is more challenging to detect number of devices, as seen in several cases [11, 12]. Therefore, the when infecting the gateway, which is why advanced host based de- protection of critical assets, such as the central gateway, is of utmost fense measures are needed. However, all the key events in Fig. 4 importance, serving as a last line of defense before malware can apply to contagion malware, as well. spread throughout the network or even to the control center (not simulated). 6. Conclusion Moreover, adding to the aforementioned defensive measures, i.e., This paper shows that vendors and utilities have huge incentives to firewalls and virtual networks, which can mitigate such attacks, ad- implement their control infrastructures as monocultures in terms of ditional measures may be necessary, cf. [3]. Anomaly detection can both, hardware and software. The same hardware is mainly used in theory identify malware before it infects the gateway. In this case, to lower development-, deployment-, and replacement costs. Us- aside from a large number of defensive measures that can be im- ing identical software decreases operational and maintenance costs. plemented, the gateway could preventively shut down the network However, the huge number of identical nodes in such networks sup- interface, i.e., disconnect the network segment, operate in a fall- ports fast and efficient propagation of malware once a vulnerability back mode to protect the other network, or warn other LL-nodes is found. from malicious intents and to operate in a fallback mode them- When analyzing different malware types we conclude that the selves. Although this may be impractical in critical infrastructures, simple but aggressive pandemic malware is the least challenging it can present an emergency solution to protect a central asset by adversary to defeat. Similar network based defense measures may jettisoning a small part for protecting the whole. Furthermore, fully also suffice to defeat the endemic malware type. However, endemic 268 heft 3.2018 The Author(s) e&i elektrotechnik und informationstechnik P. Eder-Neuhauser et al. Malware propagation in smart grid monocultures ORIGINALARBEIT malware carries more advanced on-board features that include ob- licenses/by/4.0/), which permits unrestricted use, distribution, and reproduc- tion in any medium, provided you give appropriate credit to the original au- fuscation techniques and can present a challenging problem for host thor(s) and the source, provide a link to the Creative Commons license, and based detection methods, should it manage to infect a host device. indicate if changes were made. In this case, we argue that the gateway, being the node of central importance in the presented setup, must implement all of these fea- References tures. Contagion malware uses hidden communication to propagate to its victims, which is why the gateway, being the only legitimate 1. Bencsáth, B., Pék, G., Buttyán, L., Félegyházi, M. (2012): The Cousins of Stuxnet: Duqu, Flame, and Gauss. Future Internet, 4(4), 971–1003. communication partner of all nodes, is infected first. The likelihood 2. Christiner, G. (2013): Die Rolle der APG für die Stromversorgungssicherheit – Na- is extremely low that such a malicious payload can be detected in tionale und Internationale Herausforderungen. Tech. Rep. 20903, E-Control, Austria. transit. Accordingly, host based detection must be much stronger, 3. Eder-Neuhauser, P., Zseby, T. (2017): The art of defending critical infrastructures. In involving complex heuristics and advanced real-time anomaly detec- ISGT-Europe, IEEE conference, Turin, ITA. 4. Eder-Neuhauser, P., Zseby, T., Fabini, J. (2016): Resilience and security: a qualita- tion in its attempt to protect the gateway. tivesurvey of urban smart grid architectures. IEEE Access, 4, 839–848. Our detailed analysis confirms that monocultures support fast 5. Eder-Neuhauser, P., Zseby, T., Fabini, J. (2017): Malware propagation in Smart Grid malware spreading, in particular if the communication networks are networks: simulation and comparison of three malware types. J. Comput. Virol. Hack- not configured and segmented properly. As this can have catas- ing Techn., in press. 6. Eder-Neuhauser, P., Zseby, T., Fabini, J., Vormayr, G. (2017): Cyber attack models for trophic consequences, critical networks should not be connected to Smart Grid environments. Sustain. Energy Grids Netw., 12C, 10–29. shared network resources like enterprise networks. Advanced secu- 7. Federal office of civil protection and distaster assistance (2015): Kritis – sector: energy. rity measures like anomaly detection are recommended to be imple- White paper, Germany. mented on neuralgic nodes like gateways to detect and prevent mal- 8. ISO/IEC Std 7498-1:1994 (1994): Information technology – open systems intercon- nection – basic reference model. International standard. ware from infecting neighboring networks. However, the downside 9. Kamluk, V., Gostev, A. (2016): Adwind – a cross plattform RAT. White paper V. 3.0 of this strict separation between enterprise and control domain is a #Adwind, Kaspersky Labs. substantial increase in investments for planning, component replica- 10. Kaspersky Labs (2016): The Flame: questions and answers. [Online] Available: https:// tion and segmentation. Economic considerations being one of the securelist.com/blog/incidents/34344/the-flame-questions-and-answers-51/. 11. Kocher, P., Genkin, D., Gruss, D., Haas, W., Hamburg, M. (2018): Spectre attacks: main drivers of today’s utility networks, we anticipate that major exploiting speculative execution. Preprint, arXiv:1801.01203. incidents must and will happen before utility companies’ manage- 12. Lipp, M., Schwarz, M., Gruss, D., Prescher, T., Haas, W. (2018): Meltdown. Preprint, ment will reevaluate the true costs of malware infection. We argue arXiv:1801.01207. that this cost reevaluation is an essential prerequisite for balancing 13. Marinos, L. (2013): Smart Grid threat landscape and good practice guide. Tech. rep., European network and information security agency (ENISA). the true costs of potentially catastrophic grid failures against invest- 14. Nativ, Y. (2018): theZoo: a repository of LIVE malwares for your own joy and ments into security measures that the protection of critical infras- pleasure. [Available] Online: https://github.com/ytisf/theZoo, original-date: 2014-01- tructures deserves. 09T18:55:35Z. 15. NS-3 Consortium (2016): NS-3 Consortium. [Online] Available: https://www. nsnam.org/. Acknowledgements 16. olsr.org (2004): Open link state routing protocol – man page. [Online] Available: Open access funding provided by TU Wien (TUW). http://www.olsr.org/docs/olsrd.conf.5.html. 17. Wien Energie GmbH (2012): Smart metering und smart cities. [Online] Avail- able: http://arge.ph-noe.ac.at/fileadmin/fwz/etech/Energiesysteme/2_smartmetering_ Open Access This article is distributed under the terms of the Creative smartcities.pdf. Commons Attribution 4.0 International License (http://creativecommons.org/ Authors Peter Eder-Neuhauser tems (FOKUS) in Berlin and worked as visiting scientist at the Univer- received the M.Sc. degree in energy engi- sity of California, San Diego, USA. neering from the University of Applied Sci- ences Technikum Wien, Austria. He is cur- Joachim Fabini rently pursuing the doctoral degree with the received the Dipl.-Ing. degree in computer TU Wien. He is working on smart grid secu- sciences and the Dr. techn. degree in elec- rity with a focus on malware containment in trical engineering from TU Wien. After five smart grid ICT. years of research with Ericsson Austria, he joined the Institute of Telecommunications, TU Wien, in 2003. He is a Senior Scientist with the Communication Networks Group Tanja Zseby with research focus on active measurement is a full professor of communication networks methodologies. at the Faculty of Electrical Engineering and Information Technology at TU Wien. She re- ceived her diploma degree (Dipl.-Ing.) in elec- trical engineering and her doctoral degree (Dr.-Ing.) from TU Berlin, Germany. Before joining TU Wien she led the Competence Center for Network Research at the Fraun- hofer Institute for Open Communication Sys- Juni 2018 135. Jahrgang The Author(s) heft 3.2018 269 http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png e & i Elektrotechnik und Informationstechnik Springer Journals

Malware propagation in smart grid monocultures

Free
6 pages

Loading next page...
 
/lp/springer_journal/malware-propagation-in-smart-grid-monocultures-MZbwpdOt3g
Publisher
Springer Journals
Copyright
Copyright © 2018 by The Author(s)
Subject
Engineering; Electrical Engineering; Computer Hardware; Software Engineering/Programming and Operating Systems
ISSN
0932-383X
eISSN
1613-7620
D.O.I.
10.1007/s00502-018-0616-5
Publisher site
See Article on Publisher Site

Abstract

ORIGINALARBEIT Elektrotechnik & Informationstechnik (2018) 135/3: 264–269. https://doi.org/10.1007/s00502-018-0616-5 Malware propagation in smart grid monocultures P. Eder-Neuhauser, T. Zseby, J. Fabini Smart power grids require a communication infrastructure to collect sensor data and to send control commands. The common trend for cost reduction influences the architecture, implementation, networking, and operation of smart grid devices. Whereas hardware and software reuse are imperative for vendors to lower device costs, utility companies substantially decrease their operational costs by deploying a homogeneous device base. Thousands of smart meters that feature identical hardware, firmware, and software, are one main prerequisite for automated maintenance, support, and device replacement. However, these cost savings create optimum conditions for malware propagation and infection in the grids’ control networks. In this paper we show how monocultures in device types can lead to critical situations if malware exploits a common vulnerability. Although we assume that classical defensive measures, e.g., firewalls, virtual networks, and intrusion detection, are in place, we argue that new or unpatched vulnerabilities cannot be ruled out and may lead to a very fast distribution of malware in large parts of the smart grids’ control network. Besides showing how fast malware can spread in device monocultures, we also discuss effective defensive measures that can support utility companies in preventing or containing malware distribution. Keywords: malware attacks; smart grids; communication networks; network security Malware-Ausbreitung in Smart Grid-Monokulturen. Intelligente Stromnetze benötigen Kommunikationstechnologien, um Sensordaten und Kontrollinformationen zu übertragen. Der mo- dulare Aufbau von Hardware, Firmware und Software sowie deren teilweise Wiederverwendung in verschiedenen Komponenten des Smart Grids ermöglichen eine Senkung der Herstellungs- und Investitionskosten. Je geringer die Anzahl ausgerollter Hardware-, Firmware- und Softwareversionen im Feld ist, desto geringer sind die zu erwartenden Betriebskosten wie etwa für automatisierte Updates, Gerätewartung, Geräteersatz und Schulung. Diese finanziellen Anreize haben eine äußerst homogene Gerätebasis im Smart Grid zur Folge. Das führt zu optimalen Bedingungen für die Ausbreitung von Malware in Smart Grid-Kommunikationsnetzen. Schlüsselwörter: Malware-Attacken; Smart Grids; Kommunikationsnetze; Netzwerksicherheit Received February 19, 2018, accepted May 18, 2018, published online June 5, 2018 © The Author(s) 2018 1. Introduction [11, 12], confirm that as little as sharing the same processor family Modern smart grids consist of numerous devices that must be man- can result in common vulnerabilities of distinct devices. aged and controlled. Commonly one single authority, the utility Network segmentation can help to limit malware spreading once company, administrates a huge number of field devices through its a device has been compromised. Nevertheless, it may fail, e.g., due control centers. However, this huge number contrasts with only few to misconfigured firewalls, or unforeseen propagation paths. This deployed device types like, e.g., one smart meter type and one gate- can have catastrophic consequences if malware propagation re- way type for a specific subnet. Reasons for deploying only few de- mains undetected and malware can roam through an entire pop- vice types include, but are not limited to (a) requirements of a par- ulation of nodes in critical infrastructures. ticular grid operator that are fulfilled by few vendors and devices, The main contributions of this paper include a model on how (b) proprietary protocols or extensions that question interoperabil- malware propagates in critical infrastructure monocultures if net- ity, (c) national regulations that lead to different feature sets, and work segmentation fails. We consider the stages that malware will (d) maintenance, replacement and cost considerations. For instance transition through while infecting the key points in the network and national regulations constrain the minimum reading intervals, the the countermeasures that utilities can adopt to defend themselves ability to switch power off and on remotely, and many other fea- tures of smart meters. Moreover, testing new firmware releases for during these stages. The proposed attack model considers three rep- these smart meters on functionality, interoperability, or compliance resentative malware categories and discusses their impact in critical with national regulations is a demanding task in terms of time, ef- infrastructures. The findings are based on simulations and results are fort, and cost. This aggregation of social, technical, and legislative reasons result in utilities creating monocultures or groups of mono- Eder-Neuhauser, Peter, TU Wien, Institute of Telecommunications, Gußhausstraße cultures in their network. This offers unique incentives and opportu- 25/E389, 1040 Vienna, Austria (E-mail: peter.eder-neuhauser@nt.tuwien.ac.at); Zseby, nities for attackers who can exploit one single vulnerability, or very Tanja, TU Wien, Institute of Telecommunications, Gußhausstraße 25/E389, 1040 Vienna, similar vulnerabilities in common device types or reused software Austria (E-mail: tanja.zseby@tuwien.ac.at); Fabini, Joachim, TU Wien, Institute of frameworks across the entire hierarchy to infect, control, and abuse Telecommunications, Gußhausstraße 25/E389, 1040 Vienna, Austria (E-mail: joachim.fabini@tuwien.ac.at) a huge set of devices. For instance, the recent Spectre attacks, cf. 264 heft 3.2018 The Author(s) e&i elektrotechnik und informationstechnik P. Eder-Neuhauser et al. Malware propagation in smart grid monocultures ORIGINALARBEIT All nodes can initiate the communication to the gateway and the gateway can poll LL-nodes for additional data or push firmware up- dates. Figure 2 shows the legitimate communication and also ille- gitimate communication of infected nodes that are targeting other nodes in their own network. Communication attempts across the infrastructure should be mitigated with appropriate defense mea- sures, e.g., firewalls or intrusion detection systems. But these sys- tems can sometimes fail because of technological constraints or vul- nerabilities in the network protocol stack like, e.g., in the case of wireless ad-hoc networks. Fig. 1. Network Topology of 2 networks, connected through a gate- Moreover, active scanning activities by infected LL-nodes can be detected at the gateway if it is capable of intrusion detection func- way tions and listening for anomalous traffic. 3. Attack model presented using an exemplary simulation run for a hypothetical but Network segmentation is crucial to prevent malware from spread- representative topology. ing in the network. One example of a rogue broadcast message This paper is structured as follows. Section 2 introduces the pro- that originated inside a gas grid control network, proliferating into posed network topology and the corresponding communication a power grid control network and resulting in a denial of service, model. The attack model is discussed in Sect. 3. We simulate mal- is presented in [2]. Although this example was an accident and ware propagation using one example for a monoculture network not an intentional malicious attack, it shows that improperly seg- (described in Sect. 4) and discuss the respective failure of network mented networks can, in this case by a configuration error, lead to segmentation in the results in Sect. 5. Section 6 concludes the paper. large-scale node failure and possibly to catastrophic consequences. In theory a gateway should strictly segment the two networks but 2. Network topology and communication model the ML-node may be affected by vulnerabilities or misconfiguration, Figure 1 illustrates the network topology as basis for subsequent dis- too. cussions and simulations. It consists of two networks, with each 49 In our work we simulate malware propagation that could shut low level (LL) nodes (i.e., 2 · 7 · 7 nodes in a symmetric setup, roughly down all nodes or mount similar denial of service attacks if all nodes representing two city blocks) and one connecting gateway. The LL- are infected. nodes represent the last controlling instance that operators can ac- Our attack model is based on a malware type named endemic cess before entering customers’ premises. We argue that with the malware, as introduced in [6]. We argue that the assumption of such evolution of Smart Grids the LL-nodes will act as proxies and inter- automated self-propagating malware is reasonable because manual faces through which operators can control services such as decen- infection of all nodes in a large smart grid does not scale well [5]. tralized power management or demand side management within Endemic malware aggregates capabilities of advanced existing mal- customer’s premises. ware types that are capable of extracting network information from the infected host, optimize the scanning strategy to the network The connecting gateway node represents a local control entity setup, and obfuscate the propagation behavior. It uses a permuta- that is located in a central location such as the transformer station tion hitlist scanning strategy that copies the target hitlist including and is in charge of the management of data flows. Once the gate- the scanned nodes among malware children in order to minimize re- way is infected an attacker could enter the overlain control network scans (i.e., scanning nodes again that already have been scanned). (not simulated) of the utility company. Endemic malware is highly modular, requires a high level of devel- Our setup represents two subnets of different energy infrastruc- opment effort, and therefore could also have the capability to uti- tures which are connected via network equipment in order to bene- lize multiple vulnerabilities to infect nodes. Moreover, it opens dedi- fit from shared resources and control technologies. Such a scenario, cated connections to its victims, making the malware detectable by of interconnecting different networks for optimizing control is com- connection-based anomaly detection in the network. monly found in the literature, for instance in [2, 4, 7, 13]. Network Nevertheless, capabilities that enable the malware to stay unde- A and B could represent either two power grids or grids for different tected on a host for a period of time make endemic malware a utilities, e.g., network A could represent a gas grid and network B a challenging adversary. Therefore, we assume that host based de- power grid. fenses, e.g., virus scanning software may not detect this advanced Our sample topology contains only a small number of devices malware type, as was the case initially with the Stuxnet worm and compared to typical large grid installations, which, e.g., include ap- its cousins [1]. The goal of endemic malware in our simulation is to proximatively 1.6 million smart meters for the city of Vienna, Austria infect all nodes in both infrastructures to commence different attack [17], but is sufficient to show the effects of monocultures in smart types, e.g., shutting down all nodes, shutting down selected nodes, grids. or building a botnet for denial of service attacks, cf. [6]. Infected Figure 2 illustrates the used communication model with legitimate field nodes can disguise themselves as gateways toward other field and malicious communication that is sent to the gateway. LL-nodes nodes to infect victims laterally. A similar behavior has been observed can only communicate with the gateway (a medium level (ML) node) for instance in the Flame malware [10]. The endemic malware is de- but not with other LL-nodes. The gateway is aggregating and ana- scribed in detail in [6]. lyzing all data, thus, there is no need to send data from one LL-node We use the endemic malware as basis for our simulations. Addi- to another in the other network. The gateway does not route infor- tionally, as a comparison we show the capabilities of two other mal- mation to another destination in the other network, except to the ware types, namely, pandemic and contagion malware, cf. [6], and control center which is positioned hierarchically above the ML-node, compare them with the features of the endemic malware. However, being outside of the simulation scope. we do not simulate them. Juni 2018 135. Jahrgang The Author(s) heft 3.2018 265 ORIGINALARBEIT P. Eder-Neuhauser et al. Malware propagation in smart grid monocultures Fig. 2. Communication traffic and patterns Furthermore, we discuss pandemic malware which represents ag- located from the diagram origin. Therefore, assuming equal weight- gressive malware types that use random scanning to discover new ing for all features, a larger area represents a greater threat to de- victims in a brute-force manner, enabling defenders to quickly iden- fenders. tify it in the network. Pandemic malware implementation lacks so- General features, e.g., the development effort shows that pan- phisticated features, is generally simple and involves a relatively low demic malware is simple, therefore, accessible to a larger group development effort. These characteristics facilitate its use by a broad compared to the more advanced malware types. Endemic and con- range of user groups. With the source code of some variants [14]be- tagion malware require increased resources, which may be a draw- ing accessible on the Internet as a template, even less skilled attack- back for the attacker, thus, a benefit for defenders. Moreover, in- ers can modify and implement their own version. However, besides creased development effort coincides with advanced on-board de- the aggressive scanning, victims are contacted by opening a dedi- fense features against detection that are available in modular ex- cated connection, which should also be detectable by connection- tensions. This increased effort pays off and represents a benefit for based intrusion detection. attackers in terms of improved attack capabilities. The last malware type, called Contagion malware,represents Increased stealthiness features, which support reduced network highly advanced malware that obfuscates all aspects of its presence, scanning and stealthy malware propagation in networks, on one cf. [6]. Contagion malware exploits application layer vulnerabilities hand decrease propagation speed and frequently coincide with in- [8] to propagate hidden within established legitimate TCP connec- creased development effort. On the other hand, advanced on-board tions instead of opening new dedicated connections to the victims. capabilities enable the malware to optimize resource consumption in This is why it is invisible to connection-based anomaly detection. the network and/or on the host, supporting advanced features like, Such a malware requires defenders to inspect every legitimate con- e.g., additional attack vectors, obfuscation capabilities, or advanced nection for anomalies, e.g., anomalous peaks of packets, anomalous scanning strategies. The insert in Fig. 3 differentiates between gen- packet timings, or anomalous packet size variations inside a flow. eral features, network domain features, and the host domain fea- With encrypted communication channels at network or transport tures. layer, such anomaly detection becomes a challenging task. An additional malware categorization is with respect to pre- We define the starting point of the infection at one compromised infection, the initial propagation phase, vs. post-infection, the op- LL-node as patient zero. It represents, e.g., an infected smart meter, erational phase. Pre-infection includes all actions that happen in the which can initially be compromised via unpatched or new vulnerabil- first few moments of a malware lifetime. This is the instant in time ities. We assume that the utility operates a device monoculture and when the malware must propagate itself autonomously in a net- that an exploitable set of similar vulnerabilities exists throughout the work, as simulated in our example. This step is intentionally auto- entire population and across all hierarchy levels of the deployed de- mated due to the assumed large scale smart grid. vices. This is typically the case when all devices are manufactured by The operational phase, however, represents the malware’s capa- one vendor and operate the same firmware release, or reuse parts of bility to stay hidden (unobserved) and persistent for an extended the same hardware or software like, e.g., operating system, software period. This includes low CPU usage by the malware such that de- development framework, or common libraries. Recently reported fending software may not identify CPU overload for a system that is vulnerabilities, which have persisted over generations of CPUs (cf. supposed to operate within specifications. Failure of the malware to [11, 12]) confirm that exploitable hardware monocultures are highly do so opens opportunities for defending software that can detect realistic assumptions in today’s systems. The alarming conclusion is either processes on the host that act suspiciously or excess network that a sufficient condition for the establishment of a huge cross- traffic for malware command and control (C&C) or propagation ac- vendor device monoculture involves as little as two smart meter tivities. vendors to use the same CPU family in their product designs. Our Other host based features that correlate well with the develop- fictional vulnerability affects all network nodes and allows remote ment effort include the malware’s payload structure. A monomor- code execution and administrator rights upon infection. phic payload represents a simple construct that may change in size Figure 3 illustrates the different capabilities and characteristics of but produces similar signatures. Therefore, it can be detected reliably pandemic (yellow), endemic (blue), and contagion malware (red), as whenever heuristic signatures are available. A polymorphic payload introduced in [6]. complicates detection by scrambling its shape and size through en- The figure depicts features, characteristics, capabilities, and par- cryption. Still, decrypted payloads will produce identical signatures ticular strengths of the different malware types. The more sophisti- on the local drive of the host, being detectable by heuristic meth- cated a malware feature, the more distant the corresponding point is ods. Malware featuring metamorphic payload requires the higher 266 heft 3.2018 The Author(s) e&i elektrotechnik und informationstechnik P. Eder-Neuhauser et al. Malware propagation in smart grid monocultures ORIGINALARBEIT Fig. 3. A threat matrix for smart grid enabled malware, its capabilities and defensive efforts development effort, varying in size, shape, encoding, and encryp- too, as detailed in [6]. We omit simulations of the pandemic and tion. Moreover, recompilation on the host system can be used to contagion malware types but discuss the differences between the obfuscate any trace of the payload’s presence, cf. [9]. three malware types. We use these three malware types, cf. [6], as the starting base First, network segmentation, by e.g., firewalls or virtual networks, and simulate one example of the endemic malware. is often used as an effective measure to contain malware propaga- tion, cf. [6]. In case proactive measures fail to protect the gateway, 4. Simulation model e.g., because of a new or unpatched vulnerability, both parts of the Our simulations are based on the ns3 network simulation environ- network may be affected. Monocultures therefore can support mal- ment [15], version 3.26. We simulate two mesh networks that use ware propagation. Figure 4 shows a simulation of two networks of the Optimized Link State Routing (OLSR) protocol [16] for lower layer the same size, i.e., each network has 49 nodes. Since this simulation routing. The two mesh networks are connected via a gateway, which is only an example, the results are specific to the chosen network has two network interfaces, one for each network, whereas each size and parameters. LL-node has one single network interface. At IP layer, the LL-nodes Five key events in the simulation time-line in Fig. 4 characterize are supposed to communicate only with the gateway interface, al- any simulation run. Parameters that influence the timing of these though messages may pass several OLSR nodes during the lower- events include malware behavior, network size and network topol- layer routing process. ogy. When computing the timing of these events for distinct mal- Our malware model consists of a self-carried propagation model ware types and/or for distinct networks, the results can help to including the dropper and the payload which is unpacked on the compare the performance of specific malware in specific network infected host nodes [6]. settings. In particular, the timings can help to rate and compare the robustness of specific network topologies when attacked by specific 5. Network segmentation and monocultures malware types. This section discusses the failure of network segmentation measures These five key events are: and elaborates on the drawbacks of homogeneous infrastructures, i.e., monocultures. The simulation is restricted to endemic malware, • Patient zero: Infection time of the first node, by definition at sim- results and conclusions being applicable to other malware types, ulation start. Juni 2018 135. Jahrgang The Author(s) heft 3.2018 267 ORIGINALARBEIT P. Eder-Neuhauser et al. Malware propagation in smart grid monocultures Fig. 4. Network segmentation and monocultures • Infected gateway interface A: Up to this point, infected nodes in separating such infrastructure networks from any Internet facing ser- network A are scanning for the gateway, infecting several local vices may prevent malware attacks, yet, cannot provide any guaran- nodes in the process. Once the gateway is infected lateral propa- tee because field devices can still be infected manually. gation into network B is possible if the corresponding network in- Depending on its criticality, an importance factor could be as- signed to these infrastructures. E.g., a power grid outage having the terface of the gateway can be utilized. Already 20% of the nodes most severe consequences in terms of impact, may be assigned the in network A are infected, i.e., 10% of all nodes in both networks. highest priority to the power grid. Networks with higher priorities • Infected gateway interface B: The foothold in the target network should, additionally to increased protective measures, be operated B is established, i.e., the gateway is fully infected (interface A and from inside out [3]. This means that control of critical components, B) and scanning in network B can commence. e.g., the firewall or IDS, must not be delegated to a central con- • Network A fully infected: Full infection of network A is accom- trol entity that is located outside of the critical network such as a plished, i.e., 50% of all nodes in the whole setup. Assuming de- controller instance that is connected to the enterprise network. An vices in network B to feature the same vulnerability, the malware attacker that manages to control this instance, also controls all con- already started infecting network B. In total (network A and B) nected, subjacent, critical networks. 77% of all nodes are infected. In the following we elaborate on the differences of endemic mal- • Network B fully infected: Full infection of both networks (100% of ware to pandemic and contagion malware. all nodes) is achieved. All types of attacks (e.g., selective disruption Pandemic malware has a more aggressive scanning strategy than or destruction, full disruption, etc.) can commence against both endemic malware, thus, is more likely to be detected by intrusion or networks A and B. anomaly detection systems. Pandemic malware has less advanced In case the gateway is capable of preventing the lateral propa- features due to the low development effort and should be defeated gation of malware into network B, the potential damage would be by defensive measures that are already in place to protect from en- reduced to a smaller set of nodes, in our case to 50% (all nodes of demic malware. network A). Although evident in this scenario, we emphasize once Contagion malware on the other hand is using hidden communi- more the importance of properly implementing defensive measures cation inside legitimate network flows, does not scan the network in such neuralgic nodes in the network setup. actively, and implements advanced on-board features. Compared to Monocultures can produce challenging vulnerabilities for a large endemic malware, contagion malware is more challenging to detect number of devices, as seen in several cases [11, 12]. Therefore, the when infecting the gateway, which is why advanced host based de- protection of critical assets, such as the central gateway, is of utmost fense measures are needed. However, all the key events in Fig. 4 importance, serving as a last line of defense before malware can apply to contagion malware, as well. spread throughout the network or even to the control center (not simulated). 6. Conclusion Moreover, adding to the aforementioned defensive measures, i.e., This paper shows that vendors and utilities have huge incentives to firewalls and virtual networks, which can mitigate such attacks, ad- implement their control infrastructures as monocultures in terms of ditional measures may be necessary, cf. [3]. Anomaly detection can both, hardware and software. The same hardware is mainly used in theory identify malware before it infects the gateway. In this case, to lower development-, deployment-, and replacement costs. Us- aside from a large number of defensive measures that can be im- ing identical software decreases operational and maintenance costs. plemented, the gateway could preventively shut down the network However, the huge number of identical nodes in such networks sup- interface, i.e., disconnect the network segment, operate in a fall- ports fast and efficient propagation of malware once a vulnerability back mode to protect the other network, or warn other LL-nodes is found. from malicious intents and to operate in a fallback mode them- When analyzing different malware types we conclude that the selves. Although this may be impractical in critical infrastructures, simple but aggressive pandemic malware is the least challenging it can present an emergency solution to protect a central asset by adversary to defeat. Similar network based defense measures may jettisoning a small part for protecting the whole. Furthermore, fully also suffice to defeat the endemic malware type. However, endemic 268 heft 3.2018 The Author(s) e&i elektrotechnik und informationstechnik P. Eder-Neuhauser et al. Malware propagation in smart grid monocultures ORIGINALARBEIT malware carries more advanced on-board features that include ob- licenses/by/4.0/), which permits unrestricted use, distribution, and reproduc- tion in any medium, provided you give appropriate credit to the original au- fuscation techniques and can present a challenging problem for host thor(s) and the source, provide a link to the Creative Commons license, and based detection methods, should it manage to infect a host device. indicate if changes were made. In this case, we argue that the gateway, being the node of central importance in the presented setup, must implement all of these fea- References tures. Contagion malware uses hidden communication to propagate to its victims, which is why the gateway, being the only legitimate 1. Bencsáth, B., Pék, G., Buttyán, L., Félegyházi, M. (2012): The Cousins of Stuxnet: Duqu, Flame, and Gauss. Future Internet, 4(4), 971–1003. communication partner of all nodes, is infected first. The likelihood 2. Christiner, G. (2013): Die Rolle der APG für die Stromversorgungssicherheit – Na- is extremely low that such a malicious payload can be detected in tionale und Internationale Herausforderungen. Tech. Rep. 20903, E-Control, Austria. transit. Accordingly, host based detection must be much stronger, 3. Eder-Neuhauser, P., Zseby, T. (2017): The art of defending critical infrastructures. In involving complex heuristics and advanced real-time anomaly detec- ISGT-Europe, IEEE conference, Turin, ITA. 4. Eder-Neuhauser, P., Zseby, T., Fabini, J. (2016): Resilience and security: a qualita- tion in its attempt to protect the gateway. tivesurvey of urban smart grid architectures. IEEE Access, 4, 839–848. Our detailed analysis confirms that monocultures support fast 5. Eder-Neuhauser, P., Zseby, T., Fabini, J. (2017): Malware propagation in Smart Grid malware spreading, in particular if the communication networks are networks: simulation and comparison of three malware types. J. Comput. Virol. Hack- not configured and segmented properly. As this can have catas- ing Techn., in press. 6. Eder-Neuhauser, P., Zseby, T., Fabini, J., Vormayr, G. (2017): Cyber attack models for trophic consequences, critical networks should not be connected to Smart Grid environments. Sustain. Energy Grids Netw., 12C, 10–29. shared network resources like enterprise networks. Advanced secu- 7. Federal office of civil protection and distaster assistance (2015): Kritis – sector: energy. rity measures like anomaly detection are recommended to be imple- White paper, Germany. mented on neuralgic nodes like gateways to detect and prevent mal- 8. ISO/IEC Std 7498-1:1994 (1994): Information technology – open systems intercon- nection – basic reference model. International standard. ware from infecting neighboring networks. However, the downside 9. Kamluk, V., Gostev, A. (2016): Adwind – a cross plattform RAT. White paper V. 3.0 of this strict separation between enterprise and control domain is a #Adwind, Kaspersky Labs. substantial increase in investments for planning, component replica- 10. Kaspersky Labs (2016): The Flame: questions and answers. [Online] Available: https:// tion and segmentation. Economic considerations being one of the securelist.com/blog/incidents/34344/the-flame-questions-and-answers-51/. 11. Kocher, P., Genkin, D., Gruss, D., Haas, W., Hamburg, M. (2018): Spectre attacks: main drivers of today’s utility networks, we anticipate that major exploiting speculative execution. Preprint, arXiv:1801.01203. incidents must and will happen before utility companies’ manage- 12. Lipp, M., Schwarz, M., Gruss, D., Prescher, T., Haas, W. (2018): Meltdown. Preprint, ment will reevaluate the true costs of malware infection. We argue arXiv:1801.01207. that this cost reevaluation is an essential prerequisite for balancing 13. Marinos, L. (2013): Smart Grid threat landscape and good practice guide. Tech. rep., European network and information security agency (ENISA). the true costs of potentially catastrophic grid failures against invest- 14. Nativ, Y. (2018): theZoo: a repository of LIVE malwares for your own joy and ments into security measures that the protection of critical infras- pleasure. [Available] Online: https://github.com/ytisf/theZoo, original-date: 2014-01- tructures deserves. 09T18:55:35Z. 15. NS-3 Consortium (2016): NS-3 Consortium. [Online] Available: https://www. nsnam.org/. Acknowledgements 16. olsr.org (2004): Open link state routing protocol – man page. [Online] Available: Open access funding provided by TU Wien (TUW). http://www.olsr.org/docs/olsrd.conf.5.html. 17. Wien Energie GmbH (2012): Smart metering und smart cities. [Online] Avail- able: http://arge.ph-noe.ac.at/fileadmin/fwz/etech/Energiesysteme/2_smartmetering_ Open Access This article is distributed under the terms of the Creative smartcities.pdf. Commons Attribution 4.0 International License (http://creativecommons.org/ Authors Peter Eder-Neuhauser tems (FOKUS) in Berlin and worked as visiting scientist at the Univer- received the M.Sc. degree in energy engi- sity of California, San Diego, USA. neering from the University of Applied Sci- ences Technikum Wien, Austria. He is cur- Joachim Fabini rently pursuing the doctoral degree with the received the Dipl.-Ing. degree in computer TU Wien. He is working on smart grid secu- sciences and the Dr. techn. degree in elec- rity with a focus on malware containment in trical engineering from TU Wien. After five smart grid ICT. years of research with Ericsson Austria, he joined the Institute of Telecommunications, TU Wien, in 2003. He is a Senior Scientist with the Communication Networks Group Tanja Zseby with research focus on active measurement is a full professor of communication networks methodologies. at the Faculty of Electrical Engineering and Information Technology at TU Wien. She re- ceived her diploma degree (Dipl.-Ing.) in elec- trical engineering and her doctoral degree (Dr.-Ing.) from TU Berlin, Germany. Before joining TU Wien she led the Competence Center for Network Research at the Fraun- hofer Institute for Open Communication Sys- Juni 2018 135. Jahrgang The Author(s) heft 3.2018 269

Journal

e & i Elektrotechnik und InformationstechnikSpringer Journals

Published: Jun 5, 2018

References

You’re reading a free preview. Subscribe to read the entire article.


DeepDyve is your
personal research library

It’s your single place to instantly
discover and read the research
that matters to you.

Enjoy affordable access to
over 18 million articles from more than
15,000 peer-reviewed journals.

All for just $49/month

Explore the DeepDyve Library

Search

Query the DeepDyve database, plus search all of PubMed and Google Scholar seamlessly

Organize

Save any article or search result from DeepDyve, PubMed, and Google Scholar... all in one place.

Access

Get unlimited, online access to over 18 million full-text articles from more than 15,000 scientific journals.

Your journals are on DeepDyve

Read from thousands of the leading scholarly journals from SpringerNature, Elsevier, Wiley-Blackwell, Oxford University Press and more.

All the latest content is available, no embargo periods.

See the journals in your area

DeepDyve

Freelancer

DeepDyve

Pro

Price

FREE

$49/month
$360/year

Save searches from
Google Scholar,
PubMed

Create lists to
organize your research

Export lists, citations

Read DeepDyve articles

Abstract access only

Unlimited access to over
18 million full-text articles

Print

20 pages / month

PDF Discount

20% off