2011 -12 Seminars
Multi-Vendor Penetration Testing in the Advanced Metering Infrastructure: Challenges for RegulationStephen McLaughlin
PhD. Candidate, Department of Computer Science and Engineering
Penn State University
The advanced metering infrastructure (AMI) is made up of hardware, software, and networks from an increasingly large pool of vendors. There are currently no regulations imposed on AMI vendors or utilities to test the security of such products. At the same time, the criticality of large scale AMI deployments is approaching that of traditionally more well-regulated infrastructures like generation and transmission. Ours and other research has shown that attacks against smart electric meters can lead to large scale losses of electric service and utility revenue. In this talk, we review some examples of currently standardized security auditing, and make the case that penetration-testing needs to be an added requirement of any serious security audit process in AMI. We then review the results of our efforts in pen-testing smart meters using attack trees to organize our efforts. Finally, it is argued that attack trees are a useful tool for standardized pen-testing efforts as they provide necessary levels of abstraction and act as form of institutional memory.