Embedded Technologies for the Smart Grid
Smart Grid Security: Less Bruce Willis, More Ben Franklin.
The humble electrical meter—now that it has gotten smart—has also become a potential avenue for attacks that could lead to great damage to the electrical grid. More attention must be paid to securing these and other devices that are attached to the coming Smart Grid.
ROBERT VAMOSI, MOCANA
Page 1 of 1
In the movies, it’s compelling. In a matter of seconds, a hostile nation-state sends a string of malicious code to a small-town SCADA network, and as a consequence the entire Eastern Coast of the United States is plunged into darkness during the height of a summer heat wave. Hours later a handsome, intrepid digital forensic investigator discovers a “digital cure,” pounces on the foreign hackers in their lair, and in a big shootout (preferably with explosions), installs the patch with minutes to spare and fixes everything.
The reality is considerably less dramatic.
To date, there haven’t been any publicly documented SCADA failures in the energy sector resulting from malicious digital attacks. That’s not to say that there haven’t been digital attacks. There have been many. But so far, the power grid’s network of fail-safes and redundancies seems to have saved us from the worst scenarios. The example that most fear-mongers like to put forward—namely, the claim by U.S. government officials that a two-day blackout in Espirito, Brazil, was the result of sabotage—has been discounted by Brazilian authorities. They say dust from a prolonged drought and soot from a nearby wildfire affected critical transformers and were the actual saboteurs. The lack of an example, however, doesn’t mean the existing energy-grid SCADA networks are secure, and there appears to be wide consensus that the older parts of the infrastructure need additional protection.
Security researchers, such as Luigi Auriemma, recently published 34 exploits for common SCADA systems sold by Siemens, Iconics, 7-Technologies and DATAC. Shortly after his work appeared on the Bugtraq mailing list, the U.S. Industrial Control Systems–Computer Emergency Response Team (ICS-CERT) rushed out advisories to the energy industry. And while these particular vulnerabilities have been mitigated (or at least, the community has been alerted to them), the fact that Auriemma, who prior to this research had never before studied SCADA networks, was able to find so many flaws, suggests others may find even more.
Indeed, speaking at Black Hat USA in 2010, Jonathan Pellot of Red Tiger Security said “without the proper security precautions, the electrical grid is now more vulnerable than ever.” His company logged over 38,000 software vulnerabilities in a common operating system used on SCADA systems within the energy sector. While most aren’t enough to cripple a SCADA network on their own, such vulnerabilities provide yet another vector for an attack.
Smart Grid Security Standardization
Shortly after 9/11, the North America Electric Reliability Corporation (NERC) issued guidance requiring energy providers to provide authentication technology on their devices to enable more secure upgrades, and to use AES encryption for all network communication. The 2007 Energy Independence and Security Act gave these providers until 2009, but Congressional testimony in early 2009 showed “most of the industry had yet to comply.”
In January 2011, the GAO released a report, Electricity Grid Modernization: Progress Being Made on Cybersecurity Guidelines, but Key Challenges Remain to be Addressed, which concluded that while both NIST and FERC made key regulatory improvements during 2010, the U.S. energy industry as a whole continues to suffer. In particular, the GAO cited six areas of concern:
- The electricity industry does not have an effective mechanism for sharing information on cybersecurity.
- The electricity industry does not have metrics for evaluating cybersecurity.
- Utilities are focusing on regulatory compliance instead of comprehensive security.
- Aspects of the regulatory environment may make it difficult to ensure Smart Grid systems’ cybersecurity.
- Consumers are not adequately informed about the benefits, costs and risks associated with Smart Grid systems.
- There is a lack of security features being built into certain Smart Grid systems.
Trouble at Home
While the state of security within larger energy grid systems remains in question, special attention should nonetheless be focused on the new devices that comprise the Advanced Metering Infrastructure (AMI)—the millions of smart meters now being put into homes nationwide. In response to federal funds available for the rapid installation of these devices, local utilities have been rushing to install them, sometimes with less attention to security concerns than some would find adequate.
Cybercriminals may not invest the considerable resources needed to attack energy facilities directly. Instead, they might be able to start an attack with a drive down a residential street.
Smart meters, new devices that are being installed in millions of consumer homes, may prove to be lower-hanging fruit to a would-be attacker (Figure 1). Here, issues of authenticating updates and encrypting communications may not have been fully addressed prior to implementation, and provide an opportunity for even greater security today. In other words, we may be worrying about the wrong part of the energy network.
Even given all the components and stages of the Smart Grid, the weakest link might be the smart meters in the home.
The units now being placed inside customer houses lack a good mechanism for authentication of downloaded software and firmware updates. In 2010, Shawn Moyer and Nathan Keltner at FishNet Security demonstrated to audiences at Black Hat USA a proof-of concept smart meter attack using this vector. Using radio equipment and open-source software, they were able to identify nearby smart meters in a residential neighborhood. They were able to circumvent the encryption used and inject malicious code into the smart meter in the form of a firmware update. Once updated, the code then propagated to other smart meters in the area, creating a Smart Grid worm similar to a PC worm such as ILOVEYOU, a particularly nasty case that spread worldwide in 5 hours.
The consequences of such a device-based worm might be more dire than a PC worm. If the smart meter hack Moyer and Keltner proposed were ever loosed in the “wild,” electricity to thousands of homes could be shut off—and it’s not clear that service could be restored without manually re-installing the software on every meter, in person. Such an attack would be expensive to recover from.
Furthermore, vulnerabilities within home-based smart meters might allow someone remote access to the rest of the SCADA system. It seems reasonable to state that if the device security of these mass-produced smart meters were held to a higher bar, the overall electrical grid would be better protected. But right now there are no regulatory (or even customary) requirements for third-party security testing or peer review of these devices.
Stopping Meter Malware & Protecting Meter Updates
To protect against the Moyer/Keltner worm, best practices recommend that you digitally sign all of your device firmware, and set up your devices in the field so that they won’t run any code that hasn’t been properly signed. Cryptographic digital signatures ensure that any firmware appearing on the device is from an authenticated source, and that it has not been infected or modified.
A cryptographically based automated update allows you to securely distribute software updates to millions of devices in the field, over virtually any network connection—secure or unsecure (Figure 2). With cryptographically based updates, a signed message is placed at a well known URL, which is programmed to check for updates. The signed message is then downloaded, authenticated, verified, de-capsulated, saved and/or acted upon. Products like Mocana’s NanoUpdate enable devices to authenticate incoming software or firmware updates, so that you can distribute new features, patches and bug fixes for your meters and other Smart Grid devices… without rolling a single truck.
Ideally, security throughout the Smart Grid is needed, not just at the consumer level.
Additionally, device-based antivirus solutions can actively shut down virus and malware attacks against smart meters and other grid infrastructure devices. But traditional antivirus scanners simply won’t fit into the tight memory and CPU constraints of most smart meters. A new generation of smaller, non-database-oriented anti-malware agents has emerged where every action an application takes is checked against a known “good behavior” model. Mocana’s NanoDefender, for example, continuously scans running processes and terminates non-authorized threads or applications with minimal system overhead and no false positives.
Authenticating Meters & Encrypting Communications
Extensible Authentication Protocol (EAP) is an authentication framework that can be used to protect wireless networks and Point-to-Point connections by providing common functions and negotiation of authentication methods. Solutions exist that can prevent unauthorized access to grid devices in the first place. This allows utilities to manage multiple users of the same device who require different security configurations.
To ensure that only the devices you designate as “authentic” can participate in your Smart Grid network, issuing X.509 certificates for all of your devices is a long-recognized “best practice.” Additionally, there needs to be a way to automate certificate management in devices and applications without increasing resources. Mocana’s NanoCert automates certificate management, and can scale to handle millions of meters. The client software requests certificates, renews them or pulls down revocation lists from most any certification authority (CA), and can issue and revoke certificates at scale.
It’s not enough, though, to merely authenticate all of the communicating nodes. You also need to protect data while it’s in transit, and while it’s at rest on the meter or back at the utility. Best practices, again, dictate that you use government-validated (FIPS 140-2) encryption solutions, but finding a government-certified cryptographic engine is challenging for resource-constrained embedded systems environments. Solutions like Mocana’s NanoCrypto low host-CPU utilization extends battery life on remote sensors, and enables even inexpensive low-end processors to use robust cryptographic techniques to protect sensitive information and authenticate legitimate users, systems and data.
“Saving the day” when it comes to securing the Smart Grid is less Bruce Willis and more Ben Franklin. Some prudent planning and careful implementation can spare us all a lot of drama later. By hardening the weakest (and most populous) entry points—namely the home-based smart meters—the energy industry can continue to avoid the Hollywood disaster story.
San Francisco, CA.
Kansas City, MO.
Red Tiger Security