1

ADVANCED METERING INFRASTRUCTURE SECURITY

Kunal Adak, Jawash Mohamed, Sri Haritha Darapuneni

kunal.adak@colorado.edu, jawash.mohamed@colorado.edu, sri.darapuneni@colorado.edu

A capstone paper submitted as partial fulfillment of the requirements for the degree of Masters in Interdisciplinary Telecommunications at the University of Colorado, Boulder,

6 December 2010. Project directed by Professor Timothy X Brown.

1 Introduction

The utility industry is making use of advanced technologies to increase the reliability, resilience,

intelligence, and efficiency of the existing power grid, which led to the concept of the Smart Grid

(SG) [11], [24]. Advanced Metering Infrastructure (AMI) is considered to be the heart of SG.

AMI has been the focus in recent times for vendors and utilities. Lack of security in AMI

systems can make the electrical distribution unreliable [13]. As far as AMI is concerned,

Electric/Power industries are new to the security challenges. The challenges if not addressed

could open AMI to attacks that could prove catastrophic to the economy and public safety [14].

Many organizations such as the National Institute of Standards and Technology (NIST) and

Open Smart Grid (OpenSG) are working on the security requirements of AMI in order to safely

integrate the SG technology into the power grid.

1.1 Statement of the Problem

The purpose of the research paper is to present security concerns relevant to AMI and to

recommend security requirements to AMI developers or implementers.

1.2 Scope (Limitations, Assumptions and Hypothesis)

The intent of this research is to provide potential threats, risk analysis and mitigation techniques

for those threats concerned with the Smart Meter, Communication Device, Meter Data

Management System (MDMS) and AMI Head End. The threats and the impact of threats to AMI

in this paper are limited to the components and interfaces that carry meter data and controlled by

the electric utility. The research takes into account all the communications between the MDMS

and consumer-facing-smart meter.

The security recommendations made will not apply to the entire Smart Grid network

since it only concentrates on the AMI part of the network. Depending upon the severity levels

derived from risk analysis, we will propose a set of authentication, encryption and key

management protocols to be used by utility industry, vendor communities, and other AMI

stakeholders for deploying a secure AMI.

2

Figure 1: AMI Infrastructure considered for research [5]

1.3 Importance of Study

The primary reason for choosing AMI security from the Smart Grid network is because of the

interdependency of AMI on communications infrastructure and information infrastructure, a

compromise on one domain could affect the other two domains [6]. As the challenges to be

addressed in AMI deployment are relatively new to the utility industry, an extensive research is

required because conventional Information Technology (IT) or Telecommunication security

measures cannot be applied to AMI. In the IT or Telecommunications industries the risk

tolerance of the network in terms of service disruption is high whereas the interdependencies of

various phases like generation, distribution of electricity, etc. in SG make it less risk tolerant to

service disruption. AMI is a key building block for a smart grid [5] [8] and lack of security in

AMI can cripple a business or cause a wide-scale blackout and hundreds of millions of dollars in

economic damage [4]. This makes a compelling case to safeguard the AMI networks and

metering assets.

2 Literature Review

Advance Metering Infrastructure technologies, are more sophisticated than older Automatic

Meter Reading (AMR) standards and have gained the interest of stakeholders, utilities, regulators

Devices in the scope of the project

Devices out of scope: Not under the control of electric utility

Devices out of scope: Under the control of electric utility but carry no AMI Meter data

3

and energy markets. However, very little has been done when it comes to cyber security [7]. The

National SCADA Test Bed (NSTB) drafted a document to list the kind of risks that create

vulnerabilities for Smart Grid systems and some security measures to alleviate them [11]. The

NIST Cyber Security Coordination Group (NCSCG) has also laid down guidance and security

controls with the motive to provide prescriptive, actionable guidance for how to build-in and

implement security for AMI functionality [24]. CERTICOM (adopted by the National Security

Agency) has also laid down their own authentication and encryption management protocols to

obtain site- to- site security for AMI systems [2]. Even with all these organizations coming up

with their own security standards, the U.S. electrical grid was penetrated by cyber-spies to leave

software programs open that could be used to disrupt the system. According to U.S national

security officials, spies from China and Russia were believed to be intent on navigating the U.S

electrical systems and its controls [23]. The comment usually is “If you encrypt everything, then everything is secure”. This kind of

an attitude just represents how AMI security is taken for granted. In November 2007, an AMI

SECURITY (AMI-SEC) TASK FORCE was formed by Open Smart Grid Users Group to

address AMI security issues [14]. The documents released by AMI-SEC include „Security

Specification and a Security Implementation Guide for AMI‟ which provides useful guidance.

However, the contemporary implementations of AMI, are known to have considerable security

concerns. The National Infrastructure Protection Plan (NIPP) and North American Electrical

Reliability Corporation – Critical Infrastructure Protection (NERC CIP) have proposed solutions

to AMI security in terms of Smart Grid PKI standards and tools, Attestation Certificates, and

Attributes [22]. Leading technology providers for global energy and water industries like ITRON

Inc. have also performed qualitative security risk analysis of AMI systems listing threat agents,

motivations, threats and vulnerabilities, controls and assets [15]. With these security measures

being out there, researchers like Goodspeed discovered several techniques to compromise

wireless devices used in AMI networks and successfully documented how invaders can extract

data from the memory of these devices including keys used for network validation [12]. It is

quite apparent that AMI security as of today is incapable of protecting the national power grid

from attack by malicious and knowledgeable groups; that is where our research starts. Resilience to cyber attacks has always been one of the key principles of the Smart Grid

vision and our research will be an attempt to provide security requirements for building and

deploying AMI by analyzing threats and risks associated with it [9][17]. Organizations all over

the world have only performed security risk analysis and have provided recommendations, but

are those recommendations really mitigating the attacks? Researchers have proved that all these

security measures being in place, vulnerabilities can still be exposed and attacks on AMI can still

be performed. This implies a need for more security research on AMI technology, even if

organizations like NIST have been working with vendors, stakeholders and utility to come up

with the best defense mechanisms. Our research makes an attempt not only to offer threats and

their associated risk levels at various links on the AMI system, but also provides security

recommendations; which if applied will lessen the severity levels associated with those threats.

Ultimately, the goal of our research is to inform AMI systems designers about security concerns

so that confidentiality, integrity and availability of Smart Grid network are protected on a long-

term basis.

4

3 Methodology

To define the attacks on the AMI requires assets of interests to be identified. In this case there

are four components: Smart Meter, AMI Head End, Communication Network and MDMS. Data

flow diagrams can be modeled in between the components, from which entry points to the

system such as data sources, network services, user interfaces etc. can be identified. AMI use

cases where researchers in the past have identified potential attacks and where hackers have

infiltrated the system will be analyzed to determine all the type of attacks which had been

performed on the AMI components [25]. To identify a possible attack on a given node, it is

imperative to understand what kind of security services are running at that particular node.

Depending on those security services, the attacker will choose a particular asset to manipulate

restricted information or gain access to systems, which are prohibited [3]. The risk analysis carried out in this research paper will be qualitative in nature to

determine the risk level involved. The impact of threats on the AMI components will be analyzed

considering the following parameters: severity of the threat, probability of the threat occurring

and potential loss to the consumer, utility or generation department. This will result in

concentrating on one threat at a time and the severity, probability and loss potential of each

threat can be viewed and known, so that the threat causing the greatest risk can be addressed

first.

4 Threat Model

Threat modeling is a practice of identifying threat agents, threats, categorization of threats, and

then defining counter measures to mitigate the threats [19]. Furthermore, “the threat model can

be used to assess the probability, severity, and reasoning of certain attacks and allow for

designers to implement proper controls for mitigation purposes” [15]. Figure 2 shows the

interaction of some these functions which we will develop in later sections.

Figure 2: Threat Model

5

4.1.1 Threat Model Development

This research paper goes through a series of steps to develop a threat model, which can be used

in future to deploy secure Advance metering infrastructure in a smart grid network.

Step 1: Identify critical threats to the AMI

Step 2: Categorize threats according to security domains

Step 3: Identify the threat agents for those critical threats and their motives

Step 4: Identify the AMI functional block the threats affect

4.1.2 Identify Critical Threats

Threat can be viewed as a harmful event, which targets a vulnerability of a system jeopardizing

its security in terms of confidentiality, accessibility and integrity [2]. Now a days, the AMI part

of the Smart Grid network has been exposed to threats and some of the specific ones are:

1. Tampering application services at AMI nodes

2. Masquerade as the control center

3. Authentication Bypass in metering protocols

4. Buffer Overflow through the AMI meter‟s firmware

5. Firmware Manipulation

4.1.3 Categorize threats according to security domain

The above-mentioned threats are categorized depending on which security aspect of the AMI

system is compromised as shown in Figure 3. The following security services counter these

threats

Confidentiality: Ensures that data is shared only with authorized individuals on a need-

to-know basis, and that intentional or unintentional disclosure of the data does not

occur.[7]

Integrity: Ensures that data is authentic, correct, and complete, and provides assurance

that the data can be trusted.[7]

Availability: Requires that data is accessible by authorized entities whenever in need.[7]

Figure 3: Security Requirements affected by the threats

6

Each threat exploits vulnerabilities present in the system or a protocol as shown in Figure

3. Table 1 lists the vulnerabilities and the impacts associated with the threats identified above.

4.1.4 Identify Threat Agents and their motives

The previous section describes specific possible threats to AMI systems. Considering those

threats, two types of attackers are possible. One is the internal attacker who is situated within the

system and has some privileged system access. The other one is the external attacker who uses

Internet, wireless channel access, or physical access to the system to perform any attack. For this

research paper, internal attackers are not taken into consideration as internal people of any

system/organization carry a sense of trust within themselves. So, taking external attackers into

account we assume that they all have one of three kinds of motives behind any attacks:

1. Disruption of service: Interruption or prevention of service

2. Stealing Electricity: Adding or modifying information

3. Unethical: Defaming an organization / individual

Table 1: Vulnerabilities and Impact associated with a threat [5]

Threat Vulnerability Impact

(C: Confidentiality, I:

Integrity, A: Availability)

Tamper

The management applications and

services remain exposed and available for all the nodes

Disrupting the communication

flow to reroute all the traffic to attacker‟s node for later

manipulation (I)

Masquerade

Lack of Authentication /

Encryption

Impersonating the control center

and send unauthorized

commands to meters or read metering data. (I)

Authentication Bypass

Poor implementation of metering

protocols

Manipulate reading parameters of

the smart meters (CI)

Buffer Overflow

Firmware makes certain assumptions regarding the data it receives,

particularly the size of each message

format

System instability or freeze, change values of parameters,

which are saved in the memory

stack or even execute arbitrary code (CI)

Firmware Manipulation

Firmware architecture with poor

access controls

Attacker can execute a

disconnect action and then make

the meter completely unresponsive till it is returned to

the manufacturer, thus making it

impossible for the network operator to reverse his actions

(CIA)

7

5 Risk Analysis

Efficient application of controls to alleviate the most likely attack vectors is possible by

constructing an array of attack scenarios. This reduces both the likelihood and consequence of a

successful attack [8]. This research paper makes use of Qualitative risk analysis where the

likelihood of an attack refers to the level of expertise of the attacker to perform the attack. The

consequence of an attack refers to the impact a threat has on the functionality of the device

and/or network performance.

Likelihood is measured in terms of Unlikely, Possible, Likely and Almost Certain. The

severity level of consequence includes Minor, Moderate, Major and Severe. The definitions of

these terms are listed in the tables below.

Table 2: Qualitative Risk Assessment Interpretations

Consequence

Minor Threatens the functionality of the device/ Threatens the performance of the network

Moderate Device malfunctions to an acceptable level / Degrades the performance of the network but

still functional

Major Device malfunctions beyond acceptable level / Degrades the performance of the network

beyond acceptable level

Severe Permanent damage to the device / Permanent damage of the network causing wide spread

blackout

Likelihood

Unlikely The attacker needs to be a „guru‟ or requires very high level of expertise to perform an attack

Possible The attacker requires high expertise to perform an attack

Likely The attacker requires medium level of expertise to perform an attack

Certain The attacker requires minimum expertise to perform an attack

Based on the likelihood and consequence, a risk matrix is derived as shown below:

8

Table 3: Risk Analysis Matrix

The table below shows the likelihood and consequence of a threat with respect to the

location of the attacker and the key to determining the risk level with respect to likelihood and

consequence. The links listed in the table are labeled in Figure 1.

Table 4: Likelihood and Consequence of attack on interfaces shown in Figure 1

Key to determining the risk level w.r.t likelihood and consequence

Consequence

Likelihood Minor Moderate Major Severe

Unlikely Low Low Medium Critical

Possible Low Medium High Critical

Likely Medium Medium High Critical

Certain Medium High Critical Critical

9

Below is the explanation for choosing likelihood and consequence for a particular threat:

Masquerade: For masquerading, the attacker will try to impersonate the device, which is nearest

to the AMI meter.

Impersonating to be AMI Head End: The consequence will be Major, because all the major

functionalities of the meter can be changed and the meter could be turned off. The AMI Head

End is complex and has more functionality as compared to AMI Communications Network

Device, which will result into additional and compound security measures. Hence, the likelihood

is Unlikely. Similar logic is applied if the attacker is situated at LINK 3 and LINK 4.

Impersonating to be AMI Communication Network Device: It will cause Moderate damage

because by doing that false power outage and restoration messages will be sent out causing

performance degradation. The AMI Communications Network Device doesn‟t have much

functionality as compared to AMI Head End and MDMS, which will result into less security

measures. Hence, the likelihood is Possible.

Tampering: For Tampering, the attacker will attempt to tamper the data on the link where he/she

is located.

10

LINK 1: Tampering data such as meter readings, pricing details, load-shedding messages, meter

on/off commands, meter provisioning details would cause Major consequence as it could lead to

network performance degradation beyond acceptable level. It will require high level of expertise

of tamper the data on LINK 1 because of the nature and the number of messages flowing on it.

Hence, the likelihood is Possible.

LINK 2: Tampering data such as meter last gasp messages would only threaten the network

performance. Hence the consequence is Minor. Tampering meter gasp messages requires

medium level expertise, due to which the likelihood is Likely.

LINK 3: Tampering data such as power outage and restoration notifications and gasp messages

would cause Moderate damage to network performance. Tampering data such as power outage

and restoration notifications and gasp messages will require more expertise, due to which the

likelihood is Possible.

LINK 4: Tampering data such as HAN equipments responses and commands, event logs, meter

read requests and planned outage information would cause Severe degradation to network

performance as it would also affect communications between MDMS and the distribution part of

the Smart Grid. This link contains highest number of communication messages and would be

most secure one among all the other 3 links, due to which tampering of data on LINK 4 will

require highest amount of expertise. Hence the likelihood is Unlikely.

Authentication Bypass: The attacker will attempt to bypass authentication credentials present on

the AMI meter, irrespective on which link he/she is located. Here the consequence of the attack

will be consistent on all the links and if the meter credentials are compromised, he/she can get

root-level-access to AMI meter and can manipulate all the functionalities of the meter causing to

malfunction beyond acceptable level or would shut the meter itself. Hence the consequence is

Major.

LINK 1 and LINK 2: If the attacker has a point-to-point direct access to the device who‟s

credentials he/she wants to bypass, the level of expertise required will be less compared to if

he/she is located multiple hops away from the targeted device. Also, even if the attacker has

direct access to targeted device, to get root level access to the device, he needs a high level

expertise to do so. Hence the likelihood is Likely.

LINK 3 and LINK 4: Attacker has to take at least one hop before he attempts to get root level

access to the AMI meter, due to which he needs to have a very high level of expertise. Hence the

likelihood is Unlikely.

Buffer Flow: The attacker attempts to overflow the buffer of the AMI meter by broadcasting

malformed messages irrespective of the link he/she is using. Here the consequence of the attack

will be consistent on all the links and if the meter is overloaded with excess data it can damage

the user's files, change data, or disclose confidential information stored in the AMI meter as well

arbitrary code can be generated which can lead to system instability. Hence the consequence will

be Severe on all the links.

LINK 1 and LINK 2: Buffer flow attacks are one of most common attacks performed in today‟s

world. If the attacker has direct access to the AMI meter, he will require medium level expertise

to overflow the buffer of the meter. Hence the likelihood is Likely on LINK 1 and LINK 2.

LINK 3 and LINK 4: The expertise level rises to a higher level when the attacker doesn‟t have

direct access to the meter. He/She needs to compromise additional device before the targeted

device is compromised. Hence the likelihood is Possible on LINK 3 and LINK 4.

11

Firmware Manipulation: The attacker is targeting to manipulate the firmware running on the

AMI meter. The entire functionality of the AMI meter depends on how the firmware is coded.

The consequence of this attack will be consistent irrespective from where the attack is attempted.

Firmware manipulation could lead to catastrophic results as the attacker can make the AMI meter

to function the way he/she wants. Hence, the consequence of this attack from any link would be

Severe. Also, as far as likelihood is concerned, successful firmware manipulation requires very

high level of expertise and most of the attempts to perform firmware manipulation are done

remotely. Hence the likelihood would be Unlikely on all the links.

From Table 4 it can be concluded that:

The most critical attacks are:

o Buffer Overflow: It has severe consequence across all the links with a

likelihood of Likely/Possible resulting in risk severity of Critical.

o Firmware Manipulation: It has severe consequence across all the links with a

likelihood of Unlikely resulting in risk severity of Critical.

Other attacks that need security recommendations are Authentication Bypass and

Tamper as both have a risk severity of High.

6 Security recommendations

From the risk analysis, we concluded that the attacks that have critical severity are:

1. Buffer Overflow

2. Firmware manipulation

3. Authentication Bypass

4. Tamper

In this section, we will provide security recommendations for the above-mentioned attacks.

6.1 Controls for Buffer Overflow:

Prevention from the buffer overflow can be achieved by using a Libsafe2.0 - middleware

software created by Bell Labs [17]. By intercepting all the call function calls made to the

vulnerable library functions, it avoids the attacker from overwriting the return address and

hijacking the control flow of the running program. Another method to detect buffer overflow

attacks is to use „stack canaries‟ [21]. Buffer overflow attacks overwrites memory from lower to

higher memory addresses, so it has to overwrite the canary value before it overwrites the return

pointer. If the canary value is changed, attack can be detected before the execution of the

malicious code can occur.

6.2 Controls for Firmware Manipulation:

One of the ways by which meter firmware can be prevented from being directly accessed, read

and downloaded is to use microcontrollers that can be locked, so that attacker cannot analyze or

re-install the firmware [20]. One way to prevent the firmware from getting overwritten by

corrupted/unauthorized firmware is by validating it for integrity and authentication before it gets

placed in the boot loader, so that spoofing and injection of malicious code can be blocked [12].

Vendor design teams can also encrypt the firmware, because by encryption, confidentiality and

12

integrity of the new firmware image can be preserved by facilitating secure transport through the

utility network where it is then decrypted in metering devices [21].

6.3 Controls for Authentication Bypass:

Metering protocols like DLMS and IEC 60870 must support HMAC_ MD5 authentication, since

this type of authentication uses secret key combined with the data being protected to compute a

hash [21]. Also, metering protocols should support Internet Key Exchange (IKE), which defines

mechanisms for key generation and exchange, and manages security association (SAs) [20].

6.4 Controls for hijacking data:

Security measures should be implemented at the Application and Network level of the AMI

communication module. As far as network level hijacks are concerned, packets can be ciphered

to prevent packet headers getting hijacked. Encryption can be provided by using protocols such

as IPSEC, SSL and SSH in the AMI network. Application session hijacking can be prevented by

using Strong Session ID‟s and expiring sessions can also be used since require re-authentication

to make attacks futile [20].

7 CONCLUSION

Smart Grids in today‟s world are still in its nascent stage when it comes to security even though

they are helping in efficient power and energy management [16]. Security will be truly effective

only when it is built in from the beginning, but as all the other competing demands are pursued,

it is considered on the list of low priorities [18]. It is important to remember that though AMI

offers a remarkable amount of potential, it still calls for an industry driven, resilient and scalable

standard security [10]. Organizations such as NIST, OpenSG and AMI-SEC Task force are

coming up with their own security standards for AMI, yet none of them have a defense

mechanism that would provide complete secure solutions for AMI deployment. The motive of

our research is to present a list of potential security concerns to the AMI in terms of threats and

threat agents, to perform qualitative risk analysis on each of those threats with respect to each

motive and link and then propose security measures for critical threats. The purpose of these

findings is to convey information essential to deploy proper controls that will lessen the security

issues revolving around AMI. It will require tremendous amount of coordinated and collective

effort of the utilities, regulators, consumers to make Smart Grids not only secure but also a

reality.

13

References:

[1] A. Gerra, “Security strategy that should be adopted by utilities for Smart Grid implementation before standards

hit the industry,” M.S. dissertation, University of Colorado at Boulder, United States, October 25th, 2010.

[2] Certicom, “Critical Infrastructure Protection for AMI Using a Comprehensive Security Platform,” Certicom

white paper, February 2009.

http://certicomcenterofexcellence.com/pdf/white_paper-ami_advanced_metering_infrastructure.pdf

[3] C4, “The Dark Side of the Smart Grid - Smart Meters (in)Security,” C4 security white paper, September 2010.

http://www.c4-security.com/The%20Dark%20Side%20of%20the%20Smart%20Grid%20-

%20Smart%20Meters%20(in)Security.pdf

[4] D.G. Hart, “Using AMI to realize the Smart Grid,” in Proceedings of the Conference on Power and Energy

Society General Meeting - Conversion and Delivery of Electrical Energy in the 21st Century, Pittsburgh, PA, July

20-24, 2008.

[5] D. Wei, Y. Lu, M. Jafari, P. Skare and K. Rohde, “An Integrated Security System of Protecting Smart Grid

against Cyber Attacks,” in Proceedings of the conference on Innovative Smart Grid Technologies, Gaithersburg,

MD, January 19-21, 2010.

[6] E. Liu, M. L. Chan, C. W. Huang, N. C. Wang, and C. N. Lu, “Electricity grid operation and planning related

benefits of advanced metering infrastructure” presented at the conference on Critical Infrastructure, Beijing, China,

September 20-22, 2010.

[7] F.M. Cleveland, “Cyber security issues for Advanced Metering Infrastructure (AMI),” in Proceedings of the

conference on Power and Energy Society General Meeting - Conversion and Delivery of Electrical Energy in the 21st Century, Pittsburgh, PA, July 20-24, 2008.

[8] Idaho National Laboratory, “Study of Security Attributes of Smart Grid Systems - Current Cyber Security

Issues,” Idaho National Laboratory, April 01, 2009. http://www.smartgridinformation.info/pdf/1335_doc_1.pdf

[9] J. Ketchledge, “Future Proofing AMI Systems to Support Smart Grid Adoption,” Enspiria Inc white paper,

September 2009.

http://www.enspiria.com/Article%20pdfs/Futureproofing_AMI_to_Support_SmartGrid_Adoption.pdf

[10] J. S. John, (2009, April 8), “Hacking the Grid: Is Smarter Less Secure?,” Blog post on Greentech Media, April

8, 2009. http://www.greentechmedia.com/articles/read/hacking-the-grid-is-smarter-less-secure-6017/

[11] K. Cornish, “The Migration from AMI to Smart Grid,” Enspiria white paper, August 2010.

http://www.enspiria.com/Article%20pdfs/Migration_from_AMI_to_Smart_Grid.pdf

[12] K. Moslehi and R. Kumar, “Smart Grid - A Reliability Perspective,” presented at the Conference on Innovative

Smart Grid Technologies, Gaithersburg, MD, January 19-21, 2010.

[13] M. Carpenter, T. Goodspeed, B. Singletary, E. Skoudis and J. Wright, “Advanced Metering Infrastructure

Attack Methodology,” InGuardians. January 5, 2009. http://inguardians.com/pubs/AMI_Attack_Methodology.pdf

[14] OpenSG Users Group, “AMI Task Force Roadmap,” Open Smart Grid white paper, September 30, 2008.

http://osgug.ucaiug.org/utilisec/amisec/.../AMI-SEC_Roadmap_Document_v0_4-20080930_NCG.doc

[15] R. C. Parks, “Advanced Metering Infrastructure Security Considerations,” Sandia National Laboratories white

paper, November 2007. www.sandia.gov/ccss/documents/Parks-2007-7327.pdf

14

[16] R. E. Robinson and M. G. Stuber, “Risk Analysis for Advanced Metering,” Itron white paper, September 29,

2010. www.itron.com/asset.asp?path=support/whitepaper/pdf/itr_016898.pdf

[17] R. L. Ekl and A. R. Metke, “Smart Grid Security Technology,” in Proceedings of the Conference on Innovative

Smart Grid Technologies, Gaithersburg, MD, January 19-21, 2010.

[18] R. Shein, “Security Measures for Advanced Metering Infrastructure Components,” in Proceedings of the

Conference on Power and Energy Engineering, Chengdu, China, March 28-31, 2010.

[19] R. V. Gerwen, S. Jaarsma, and R. Wilhite, “Smart Metering,” Leonardo Energy Inc. white paper, July, 2006.

http://www.leonardo-energy.org/webfm_send/435

[20] S. Harris, CISSP Certification All-in-One Exam Guide, 2007, pp. 53-107.

[21] S. Kapoor, “Session Hijacking Exploiting TCP, UDP and HTTP Sessions,” Info-point security white paper,

July 2006. https://www.info-point-security.com/open_downloads/alt/SessionHijacking.pdf

[22] S. McLaughlin, D. Podkuiko and P. McDaniel, “Energy Theft in the Advanced Metering Infrastructure,” Lecture Notes in Computer Science, vol. 6027/2010, pp. 176-187, 2010.

[23] The Advanced Security Acceleration Project,”Security Profile For Advanced Metering Infrastructure,” OpenSG

Users Group, December 10, 2009.

http://osgug.ucaiug.org/utilisec/amisec/Shared%20Documents/AMI%20Security%20Profile%20(ASAP-

SG)/AMI%20Security%20Profile%20-%20v1_0.pdf

[24] T. M. Chen, “Survey of cyber security issues in smart grids,” in Proceedings of the Conference on Cyber

Security, Situation Management, and Impact Assessment II; and Visual Analytics for Homeland Defense and

Security II, Orlando, FL, April 28, 2010.

[25] U.S Department of Energy, “The Smart Grid: An Introduction,” U.S Department of Energy, August 6, 2010.

http://www.oe.energy.gov/DocumentsandMedia/DOE_SG_Book_Single_Pages(1).pdf

[26] W. Sikora, M. Carpenter, and J. Wright, “Smart Grid and AMI Security Concerns,” Inguardians, July 23, 2009.

http://inguardians.com/pubs/Smart_Grid_AMI_Security_Concerns-20090723.pdf