AMINet: An Industrial Honeynet for AMI Systems

Researchers at the University of Patras (UPAT), as part of the Phoeni2x project, have recently developed and presented an innovative intrusion detection system called AMINet. AMINet is designed to enhance cybersecurity in Advanced Metering Infrastructure (AMI) systems. AMINet’s innovation relates to the DLSM/COSEM smart meters, and lies in providing a new defence mechanism against cyber attacks.

AnAMI system includes smart meters for data exchange of electrical measurements (i.e., current, voltage, active & apparent power). Measurements are then used to provide billing for customers as well as historical data to perform load production and distribution demand prediction. The measurements are transmitted from households, distribution substations or transformers as well as from Medium or High Voltage business consumers such as manufacturing systems providers, hospitals and banks. Each utility includes a control server where all the data from different areas are validated, pre-processed, aggregated and stored in databases. This is performed through a dedicated software called AMI Headend, which also includes a storage database. Moreover, the AMI Headend can also configure the smart meters, modify their settings in real-time and perform software updates and ad-hoc requests towards them. However, the increasing connectivity of AMI systems makes them vulnerable to sophisticated cyber threats.

Cybersecurity in AMI systems is a very big concern. Possible attacks on such systems may  disrupt services, lead to the leak of sensitive data, cause financial losses etc.. Traditional security tools often fall short in addressing these threats and they create a big necessity for development of more advanced security solutions.

In response to those challenges, as a part of the Phoeni2x framework, UPAT created AMINet: a honeypot specially designed for DLMS/COSEM smart meters. AMINet’s main focus is to simulate real-world conditions, and lure attackers into a controlled environment where their behaviour can be monitored and analysed. The logs are sent to the other Phoeni2x components.

AMINet is able to emulate three different aspects of an AMI System: 

  • Smart Meters Connected to the AMI Headend: These simulate real smart meters, interacting with the Headend using various security protocols.
  • Unconnected Smart Meters: These act as bait; they attract attackers by presenting vulnerabilities such as open ports and lack of authentication.
  • AMI Headend Decoy: This uses historical data to mimic real operations, deceiving attackers into believing they are interacting with a genuine utility control center.

The effectiveness of AMINet will be validated through extensive testing within the infrastructure of the Public Power Corporation (PPC). Initial results demonstrate that AMINet successfully emulates the behaviour of actual smart meters and can deceive attackers into attempting connection. These interactions are logged and canbe analysed to understand the tactics, techniques and procedures (TTPs) of adversaries.

Future work on AMINet will focus on the creation of the AMI Headend honeypot also addressing scalability and performance issues. The final goal is to integrate it with the PHOENI2X framework, and the relevant tools like the framework’s Security Information and Event Management (SIEM) solutions, and the Monitoring subsystem, as well as to facilitate correlation of the honeypot’s results with the collected Cyber Threat Intelligence (CTI) & the relevant attacker Tactics, Techniques & Procedures (e.g., via the MITRE ATT&CK ICS matrix).

These developments will further improve the ability to detect and mitigate sophisticated cyber-attacks, ultimately enhancing the resilience of AMI systems.

More information about the development of AMINet by the University of Patras you can find in the Paper presented in IEEE BigData 2023


George Daniil, University of Patras

Kostas Lampropoulos University of Patras 

Odysseas Koufopavlou University of Patras