ANSI C12.22 is an ANSI/IEEE standard that describes the operation of end devices, such as smart meters, over any LAN/WAN network. Together, these smart meters and LAN/WAN networks compose what is known as the Advanced Metering Infrastructure (AMI), a vital construct of the universally known smart grid. Available by advances in several technologies, the smart grid promises several benefits. It promises to ensure greater reliability, to maintain affordability, to introduce several advancements and efficiencies, and to accommodate both renewable and traditional energy sources (Department of Energy).
One example of an AMI consumer benefit is the consumer-friendly “Prices-to-Devices” near real time energy market pricing. Because price signals can be relayed directly to the smart meters, changes in consumer pricing are held in almost real time. This allows consumers to take advantage of lower night rates offered by utility providers who calculate their energy pricing using peak periods. Although the benefits of the new smart grid technology are numerous, the exposure and use of the universal Internet Protocol for communication, carries with it several of its traditional IT vulnerabilities.
Unlike some legacy ICS protocols that send their data in the clear, ANSI C12.22 does include AES encryption. So a question that we ask is, what does the unencrypted sections of the C12.22 protocol tells us about the information going through the network? More specifically, can ANSI C12.22 be scrutinized to give would be attackers a critical understanding of the encrypted AMI data? The preliminary approach chosen to answer these questions is by composing feature vectors of ANSI C12.22 traffic that will allow us to apply unsupervised machine learning.
To begin our analysis, our group has worked on analyzing traces of ANSI C12.22 using the common network protocol analyzer, Wireshark. Study of this protocol has revealed several features that are not encrypted and can be used for analysis. Features such as the called-AP-title and the calling-AP-title for example, can be used to identify and match a corresponding request message with its succeeding reply message. Furthermore, there are several other features that can be used, such as the Application Payload Data Unit (APDU) size, time between messages, and some informational bits called the EPSEM flags.
Using a combination of features mentioned above, our group has derived a feature vector that includes the Request APDU size, Reply APDU size, delta t (time between request and reply messages), and a flow bit. The flow bit is used as a binary representation of the location where a message was initiated. In order to build these feature vectors all relevant data was filtered and exported from Wireshark. Considering that our feature vector is a construct of a request with its corresponding reply, a Python script was developed to read through the Wireshark output and compose the correctly formatted feature vectors.
Several methods have been proposed and are currently being pursued for applying unsupervised machine learning to these vectors. One approach is using a method called hierarchical clustering. Hierarchical clustering is a method of cluster analysis that essentially builds nests of clusters by merging them successively. For example, a set of feature vectors can be used to create a point representing those particular messages in space. These data points are then merged by successively choosing the closest points over several iterations. This particular method of clustering constructs a divisive or “top down” hierarchy. This would allow us to study those naturally formed clusters and determine if at any hierarchy there is a cluster correlation to any particular type of messages; thus giving us some new awareness of the traffic.
It is still too early to suggest a conclusion on this study. Our research group continues to analyze the ASMI C12.22 traffic and apply different machine learning methods. With the ever-increasing cyber attacks happening world-round, cyber-physical systems are now viable targets for anyone with the right skills and motive. Considering that the AMI network provides critical access points for disrupting electrical power to end users, any weakness on this system would be detrimental.