Embedded Security Analysis with Emphasis on Critical Infrastructures

Embedded systems are ubiquitously used today. From everyday electronic consumer products to critical domains such as medical devices, Electronic Control Units (ECUs) in cars or critical infrastructure field components, their possible fields of application are manifold. While some of these systems are highly security critical and successful attacks could lead to disastrous effects, in the past their exposure to potential attackers was limited due to a lack of widely accessible communication interfaces. For instance, the ECUs in cars used to be interconnected but there were no wireless uplink connections to connect the car to the Internet, to the user’s smart phone or to other cars via vehicle-to-vehicle communication. Many of today’s embedded systems were thus designed with a focus on functionality and safety. Security was not a major concern. However, today there is an ongoing paradigm shift from considered dumb devices to highly interconnected smart devices. With Industry 4.0, there is another ongoing industrial revolution that transforms traditional production systems to ICT enabled smart factories. On the Internet of Things (IoT), an increasing number of everyday embedded devices gets connected to the Internet. Cars often include multiple Internet uplink connections, medical devices such as pacemakers can be adjusted over wireless interfaces and networked devices within the consumer’s premises and the power grid pave the way for green energy consumption and the smart grid. Considering that many potentially insecure systems now become internetworked and accessible to potential attackers, this leaves many critical systems such as smart critical infrastructures at stake. While a secure system can only be achieved if security is of major concern from the very beginning and a secure life-cycle involving processes such as secure design, secure implementation and continuous security assessments is followed, recent publications have shown that embedded systemsdonotcopewellwiththissecuritydemand. Ultimately, notonlythesystemmanufacturers but also the system owners and operators need ways to assess, manage and test the security of networked embedded systems. This thesis focuses on embedded system security within the smart grid critical infrastructure.

The problem of smart grid security assessment and management is addressed by presenting an architecture driven approach allowing operators such as utilities to identify high-risk smart grid components in their grid instances, to select those components for detailed technical security audits and to subsequently mitigate security threats. Testing the security of high-risk embedded smart grid field components is still considered to be challenging and more time consuming in comparison to off-the-shelf PC based systems. A major cause is that prevalent vulnerability discovery techniques on embedded systems are still largely based on static analysis. To address some of these shortcomings, the use of emulators with proprietary peripheral device communication forwarding is investigated to enable dynamic security analysis approaches such as fuzz testing. The thesis introduces PROSPECT, a proxy capable of tunneling arbitrary peripheral hardware accesses from within a virtual analysis environment to the embedded system under test. Our system thus enables the analysts to leverage any powerful dynamic analysis techniques of their choice to discover vulnerabilities on embedded devices with minimal effort. In addition, the use of firmware program state approximation is explored to allow caching device responses within the PROSPECT system. Our case study shows that during security testing, future implementations of peripheral device caching could pave the way for powerful functions such as snapshotting, test parallelization or testing without physical access to the embedded system. Since security testing of embedded firmware is only feasible if the firmware can be extracted from the embedded device in the first place, physical attacks are described that can be applied to embedded smart grid devices. From these physical attacks, the use of limited Integrated Circuit (IC) reverse engineering techniques is explored to discover proprietary test modes in silicon. Once the test mode is known to the analysts, it is often possible to extract the firmware from the device and subsequently perform firmware security tests. Finally, besides embedded firmware extraction and analysis, future smart grid protocols will involve cryptographic authentication mechanisms that need to be tested and practically evaluated as well. Since no established cryptographic smart grid authentication protocols exist yet, the thesis presents a highly efficient FPGA cluster architecture and implementation of a brute-force attack on the well known WPA2-Personal authentication protocol instead. Our results indicate that a very high attack performance can be achieved and our approach would be suitable to test the practical security of future smart grid authentication protocols. The work presented in this thesis thus provides a holistic embedded security analysis approach for critical smart grid components ranging from architecture modeling, risk assessment and security management over firmware extraction and firmware security analysis to the practical analysis of cryptographic authentication protocols.