Strategies for securing the smart grid
The smart grid, a significant emerging source of embedded systems, has its own important critical security requirements. If these aren’t addressed properly, it will prove difficult — if not impossible — to protect individuals and groups from attack.
One obvious concern is financial. Attackers could, for example, manipulate metering information and subvert control commands to redirect consumer power rebates to false accounts. That’s just the tip of the iceberg, however. Because smart grids imply the addition of remote connectivity—from millions of homes to the back-end systems that control power generation and distribution—the ability to impact power delivery has obvious safety ramifications as well. And the potential to affect a large population increases the attractiveness of the smart grid as a target for attack.
The back-end systems of smart grids are protected by the same security technologies—firewalls, network access authentication, intrusion detection and protection systems—that today defend banks and governments against Internet-borne attacks. Successful intrusions into these systems occur daily. The smart grid, if not architected properly for security, could provide hostile nations and cyber terrorists with a path to attack targets from the comfort of their living rooms. Every embedded system along that path, from the smart appliance to the smart meter to the network concentrators, must be secured (Figure 1). Since public utilities and their suppliers are early in the process of developing security strategy and network architectures for smart grids, a golden opportunity now exists to build in safety measures from the start.
Figure 1. Every embedded system on a possible cyber attack path, from the smart appliance to the smart meter to the network concentrators, must be a secure smart grid embedded system.
Click on image to enlarge.
The increasing reliance on embedded systems in commerce, critical infrastructure and life-critical functions makes them attractive targets for attackers. Embedded industrial control systems that manage nuclear reactors and oil refineries, for example, provide assailants with an opportunity to inflict widespread damage.
To get an idea of the kinds of sophisticated attacks we can expect on the smart grid, look no further than the July 2010 Stuxnet attack on nuclear power infrastructure. This worm infiltrated Siemens’ process control systems at nuclear power plants by subverting the Windows-run workstations operators use to configure and monitor embedded control electronics (Figure 2). As the first known direct malware assault on embedded process control systems, Stuxnet illustrated the incredible damage potential of modern smart grid security attacks.
There’s been much speculation in the security community about not just the identity and motive of the attacker, but also the unprecedented level of sophistication of the worm, which included a clever rootkit construction and the employment of no fewer than four zero-day Windows vulnerabilities. Those vulnerabilities enabled Stuxnet to gain access to and download malware to the Siemens controller itself; that suggests the attackers had intimate knowledge of its embedded software and hardware.
In addition to demonstrating the need for improved security skills within the embedded development community, Stuxnet clarified the necessity for a higher level of assurance in critical infrastructure than that provided by standard commercial IT practices.
The worm also exposed the interdependence between embedded systems and IT systems. Supervisory control and data acquisition (Scada) networks used in industrial-control systems are controlled by common PCs, for instance. As a response to the Stuxnet attack, the U.S. Department of Defense’s cyber command chief, General Keith B. Alexander, last September recommended the creation of an isolated network for critical infrastructure that would include the power grid.
That may sound heavy-handed, but it is precisely how many governments protect their most sensitive and compartmentalized classified networks. Sure, physical isolation introduces some inefficiency. But you can ameliorate that with the application of high-assurance access solutions that let a client computer securely access multiple isolated virtual desktops and back-end networks. Those access control systems use the latest and greatest Windows or Linux human-machine interfaces, but—importantly—do not depend on Windows or Linux for security.
The recent tragedy affecting Japan’s nuclear program, while not the product of human malice, paints a grim picture regarding the potential impact of a successful cyber attack on critical infrastructure. Such systems, controlled by common computers and networks, have proved both enticing and assailable to well-funded individuals and groups intent on malfeasance.