US-13-Blackouts-Issues-with-Wireless-Metering-Protocols-Slid
更新时间:2023-04-24 01:40:01 阅读量: 实用文档 文档下载
- us13码是中国多少码推荐度:
- 相关推荐
Energy Fraud and Orchestrated BlackoutsIssues with Wireless Metering Protocols (wM-Bus)Black Hat USA 2013, Las Vegas, July 31st - Aug 1st 2013 cyrill.brunschwiler@csnc.chCompass Security AG Werkstrasse 20 P.O. Box 2038 CH-8645 JonaTel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch
AgendaIntroMaking Of Smart Grids Smart Metering¡ ¡ ¡Wireless M-BusApplication Protocol Stack Communication Modes Protocol Overview (Frames, Transport Layer, Data Headers, Relaying) Protocol Analysis (Privacy, Confidentiality, Integrity) Attack Scenario¡ ¡Demo Conclusion, Outlook© Compass Security AG www.csnc.ch Slide 2¡¡¡¡
IntroCompass Security AG Werkstrasse 20 P.O. Box 2038 CH-8645 JonaTel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch
Intro – Making OfTimelineSummer 2011: Autumn 2012: X-mas 2012: X-mas 2012: February 2013: February 2013: March 2013: March 2013: Summer 2013: Got attention of wireless M-Bus in smart metering Started MSc thesis on smart meters and wireless M-Bus German BSI/OMS group published Security Report“ Short mention of M-Bus being inadequate“ at CCC in Hamburg, Germany Spent some time digging through EN paperwork Spent some time in an M-Bus lab environment Finished analysis of M-Bus current resp. draft standards German BSI mentions wM-Bus security being insufficient Publication at Black Hat USA © Compass Security AGwww.csnc.chSlide 4
Intro – Smart GridsSmart Grid Blue Print© Compass Security AGwww.csnc.chSlide 5
Intro – Smart MeteringSmart Metering Blue PrintLegendDSO Distribution System Operator NAN Neighbourhood Area Network Wireless M-Bus¢ ¢ ¢© Compass Security AGwww.csnc.chSlide 6
Intro - Smart MeteringHome InstallationLegendHAN Home Area Network Wired and Wireless M-Bus£ £© Compass Security AGwww.csnc.chSlide 7
Wireless M-BusCompass Security AG Werkstrasse 20 P.O. Box 2038 CH-8645 JonaTel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch
ApplicationMarket segmentPopular in remote meter reading Heat, Water, Gas, Electricity 15 million devices deployed (figures from 2010) Mainly spread across Europe¤ ¤ ¤ ¤ ¤ ¤ ¤UsageRemote meter reading Drive-by meter reading Meter maintenance and configuration Becoming popular for smart metering applications Tariff schemes, real-time-pricing Demand-response Pre-payment Load-limit Remote disconnect¤ ¤ ¤ ¤© Compass Security AG¤¤www.csnc.chSlide 9
Communication ModesModesStationary Mode (S) is to be used for communication with battery driven collectors. Specific modes exist for one-way and two-way communication. Frequent Transmit Mode (T) is optimised for drive-by readout. Mode T does provide specific modes for one-way and two-way communication. Frequent Receive Mode (R2) allows for simultaneous readout of multiple meters. Mainly used for gateways and drive-by meter reading. Compact Mode (C) is comparable to mode T but allows for increased data throughput. This is achieved by using NRZ for line coding. Narrowband VHF Mode (N) is optimised for transmission within a lower frequency narrow band. It is intended for long range repeater use and does specify modes for one-way, two-way and relay communication. Frequent Receive and Transmit Mode (F) is optimised for long range communication and is also split into one-way and two-way sub modes. Precision Timing Protocol Mode (Q) provides distribution of time information taking network latency and battery optimised nodes into account. Router based Protocol Mode (P) changes addressing to include source and destination to allow for real routingwww.csnc.ch Slide 10¥ ¥ ¥ ¥ ¥ ¥ ¥ ¥© Compass Security AG
Protocol StackInvolved StandardsLayer Application Network Data Link Physical Standard prEN 13757-3 EN 13757-5 prEN 13757-4 prEN 13757-4 Description M-bus dedicated application layer (specified application layer security) Wireless relaying (optional for meters supporting the router approach) Wireless meter readout (specifies link layer security) Wireless meter readout (specifies use of 868MHz, 433MHz, 169MHz bands)LegendEN pr European Norm Draft Standard¦ ¦© Compass Security AGwww.csnc.chSlide 11
Protocol OverviewCompass Security AG Werkstrasse 20 P.O. Box 2038 CH-8645 JonaTel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch
Protocol OverviewPhysical LayerLine coding (depends on communication mode) 3 of 6 code (constant-weight code) Manchester coding NRZ coding§ § § § § § § § §Data Link LayerFrames Device addressing Specification of payload (CI field) Cyclic redundancy checks (polynomial is 0x3d65) Types A and B (B has less redundancy checks) Extended Link Layer Provides encryption (AES-128 in CTR mode)§ §© Compass Security AGwww.csnc.chSlide 13
Protocol OverviewData Link Layer: CRC calculation using reveng….© Compass Security AGwww.csnc.chSlide 14
Protocol OverviewData Link Layer, First Block Example Capture (Sent by meter, CRCs removed) 1E 44 2D 2C 07 71 94 15 01 02 7A B3 00 10 85 BF 5C 93 72 04 76 59 50 24 16 93 27 D3 03 58 C8Field Length Control Manuf. ID Address Value 1E 44 2D 2C 07 71 94 15 01 02 Interpretation 30 bytes frame length (exclusive length byte) Indicates message from primary station, function send/no reply (SND-NR) Coded for Kamstrup (KAM) calculated as specified in prEN 13757-3. ID is managed by the flag association. Identification: Device Type: Version:www.csnc.ch15 94 71 07 (little-endian) 02 (electricity meter) 01Slide 15© Compass Security AG
Protocol OverviewData Link Layer, Control Information Field Example Capture (Sent by meter, CRCs removed) 1E 44 2D 2C 07 71 94 15 01 02 7A B3 00 10 85 BF 5C 93 72 04 76 59 50 24 16 93 27 D3 03 58 C8 TypesResponse from device (consumption value …) Command to device (open/close valve or breaker …) Error from device (cmd unknown, encryption mode unsupported …) Alert from device (power low, tamper switches, permanent failure …) Time sync (update time service on device) Application reset (reset app values, tariff, instantaneous values, calibration…¨ ¨ ¨ ¨ ¨ ¨© Compass Security AGwww.csnc.chSlide 16
Protocol OverviewNetwork Layer (Relaying)Protocol using Routers Allows for full routing Communication mode P Introduces dual addressing Introduces network mgmt functions (maintain routes, detect broken links) Not compatible with EN 13757-5 unaware devices Protocol using Gateways Makes use of address translation Supports EN 13757-5 unaware devices Introduces management functions to manage node lists, trusted gateways and end-nodes© © © © © © © © © ©© Compass Security AGwww.csnc.chSlide 17
Protocol OverviewApplication Layer (data headers)No header Short header Indicates access number (frame number) Signals errors and alerts Indicates data encryption supporting several modes Long header See short header Additionally propagates a device address Signals addresses behind bridges or virtual devices Bridge Addr.Meter Addr. Wireless/wired bridgeMeter Addr.© Compass Security AGwww.csnc.chSlide 18
Protocol OverviewData Header Example Example Capture (Sent by meter, CRCs removed) 1E 44 2D 2C 07 71 94 15 01 02 7A B3 00 10 85 BF 5C 93 72 04 76 59 50 24 16 93 27 D3 03 58 C8Field Value Interpretation Standard suggests to use timestamps and sequence counters Access nrumber points out that ACC is insufficient replay prevention mandates to Current access number is 179. The standard Standard B3 choose a random number on meter start. The standard suggests to use timestamps and sequence counters since ACC is insufficient to prevent replay. 00 10 85 Message is meter initiated and there are no alarms or errors. Encryption mode is 5h which is AES-128 in CBC mode. 10h indicates a single encrypted block containing meter data (without signature). The field further indicates a short window where the meter listens for requests (8h)Status field Configuration© Compass Security AGwww.csnc.chSlide 19
正在阅读:
US-13-Blackouts-Issues-with-Wireless-Metering-Protocols-Slid04-24
关于转发“浙江省科学技术厅关于2012年度省级科技计划项目申报的04-16
我想去的地方作文100字02-04
英语文章背六级词汇 Unit 2105-16
超市转让的协议书范本01-08
钻井专业初培复习题(5)12-16
计量经济学主要复习范围03-11
《孔子世家》最终版01-11
建国以来我国建筑发展的历程11-15
- 1A Critical Review of Thermal Issues in Lithium-Ion Batteries
- 2cisco wireless controller LAG 和初始化配置集合
- 3Review of Printed - Circuit - Board Level EMI - EMC issues and tools
- 4Wi-Fi Walkman A wireless handhold that shares and recommend
- 5Transmission Power Control for Enhancing The Performance of Wireless Packet Data Networks
- 6Lifetime-aware multicast routing in wireless ad hoc networks
- 7Network Interface Multicast Protocols for Wormhole-based Networks of Workstations
- 8A coverage-preserving node scheduling scheme for large wireless sensor networks
- 9牛津少儿英语LET US GO 3句子
- 10Increasing Network Lifetime Of An IEEE 802.15.4 Wireless Sensor Network By Energy Efficient
- 教学能力大赛决赛获奖-教学实施报告-(完整图文版)
- 互联网+数据中心行业分析报告
- 2017上海杨浦区高三一模数学试题及答案
- 招商部差旅接待管理制度(4-25)
- 学生游玩安全注意事项
- 学生信息管理系统(文档模板供参考)
- 叉车门架有限元分析及系统设计
- 2014帮助残疾人志愿者服务情况记录
- 叶绿体中色素的提取和分离实验
- 中国食物成分表2020年最新权威完整改进版
- 推动国土资源领域生态文明建设
- 给水管道冲洗和消毒记录
- 计算机软件专业自我评价
- 高中数学必修1-5知识点归纳
- 2018-2022年中国第五代移动通信技术(5G)产业深度分析及发展前景研究报告发展趋势(目录)
- 生产车间巡查制度
- 2018版中国光热发电行业深度研究报告目录
- (通用)2019年中考数学总复习 第一章 第四节 数的开方与二次根式课件
- 2017_2018学年高中语文第二单元第4课说数课件粤教版
- 上市新药Lumateperone(卢美哌隆)合成检索总结报告
- Protocols
- Blackouts
- Wireless
- Metering
- Issues
- with
- Slid
- 13
- 逃脱游戏黑色谣言攻略 通关流程图文详解
- 如何写销售月计划书
- 武当紫宵玄真悟元功
- 阿德福韦酯(代丁)治疗拉米夫定耐药慢性乙型肝炎的临床疗效观察
- CA驱动程序操作手册
- 必修二圆与方程导学案
- 深圳市芭田生态工程股份有限公司
- 签证申请表格填写说明
- 清除“快捷方式病毒”
- google浏览器设置临时文件夹
- 初一上册数学期末考试题(免费)_北师大版
- “绿激光”PVP前列腺治疗系统临床应用研究
- 育苗基质功能及介绍
- 阳光下,我们身着迷彩
- 1振动主动控制中线性二次型最优控制问题研究
- 1.2.2充分条件与必要条件文重点导学案
- 新华师版2013-2014八年级下期末模拟试题(含答案)
- 《2011年中国炼油工程新建项目大全》
- 弗洛姆_创发性的爱_新论
- 2012年广东省低碳技术创新与示范重大科技专项申报指南