Harnessing the unknown in advanced metering infrastructure traffic

Paper i proceeding, 2015

The Advanced Metering Infrastructure (AMI), a key component for smart grids, is expanding with more installed devices. Due to security and privacy concerns, the communication between these devices is encrypted, making it more secure against malicious third parties but also obscuring the ability of the network owner to detect any misbehaving user or equipment. We are investigating how to balance the need for confidentiality with the need to monitor the AMI. More specifically, we develop one important component for an AMI Intrusion Detection System (IDS), which can accurately determine the individual commands (but not their content) sent between AMI devices even when they are sent over an encrypted channel or in a protocol that the IDS cannot parse. We explain our methodology and propose features which summarize traffic characteristics. We conduct a feasibility study based on representative protocols in AMI and demonstrate the real utility of this IDS component. Our results are validated experimentally using two different datasets containing realistic traffic captured from two different AMI testbeds.