Securing where smart grid meets SCADA
We read articles almost every month about stolen Social Security Numbers, stolen credit-card information, data theft and other security breaches in a wide variety of businesses and organizations. The energy sector is not immune to these risks. With the increasing implementation of smart-grid technologies and the use of networked devices therein, the energy sector becomes an ever more viable and attractive target. This article identifies areas of the smart grid that demand extra care when it comes to security measures and why these particular areas are vulnerable today.
Although the smart grid is much more than just remote meter reading, we want to start this paper with a security example that exists today and is that implemented on a large scale. Automatic meter reading (AMR) and the build-up toward advanced metering infrastructure (AMI) has already been deployed in the United States and forms an interesting beginning for the security discussion.
Remote metering makes it easier and more efficient for energy providers to bill their customers. Timely read-outs of the meter, such as once a day, allows for accurate and up-to-date information on customer usage patterns, which in turn allows for energy companies to optimize their energy generation process. The meters themselves are equipped with a transmitter/receiver capability, which either can be read remotely from a handheld device or over the air over long distances using RF technologies.
Initial observations of existing smart meters
Some of the issues we found during the inspection of such a widely deployed meter include, but are not limited to:
- No encryption of the data sent or received by the meter
- No authentication procedure between meter and local / remote reader
- Potential to read and write (modify) the program code stored in the meter electronics
Meters that do implement some level of authentication and password protection have serious flaws in their implementation. For example, a metering protocol such as IEC60870-5-102 (which is luckily not widely adapted, but serves fine as an example) have functions to read data from the meter that do not require authentication and another set of functions such as for example the disconnect that needs a password. One particular meter we reviewed allowed one to retrieve said password using the unprotected read function, making the authentication for the disconnect function pointless. Other such findings have been previously published by security researchers, such as in C4 Security's article "The Dark Side of the Smart Grid -- Smart Meters (in)Security."1 Another example that presented a highly publicized smart-meter hack is described by Mike Davis in "SmartGrid Device Security, Adventures in a New Medium."2
While one might assume that the data contained on and transmitted from a simple device such as this is non-sensitive, this is definitely not the case. Usage patterns obtained from the device provide valuable information which can indicate when someone is physically present and therefore can be utilized to determine the time frames when the location is unoccupied. This information can be easily gathered and used to plan a break-in. If suddenly usage patterns decrease, this can be an indication that the occupants are on vacation. All this information can be easily gathered without having to have a physical presence near the target house to monitor for such patterns, by deploying an electronic data logger somewhere in the neighborhood. Indeed, it becomes easy to monitor multiple targets at once.
Furthermore, many of these meters contain a remote 'disable' feature, which can be used to remotely disconnect the supply of electricity, for example because the end user did not pay the bill. Since the meter does not have adequate security measures in place, it is straight forward to exploit this feature for example to turn off the electricity (and possibly security systems) to a house, perhaps for vandalism, or because it is targeted for robbery.
Since the on-board meter electronics are not well protected due to an easily bypassed tamper protection, the code running on the meter could be downloaded. This means that an attacker can study the code to develop a deep understanding of its operations, and look for potential security issues. Additionally, since these devices have few resources and are design for low power consumption, features such as a proper random number generator, cryptographic accelerators, and other features we've come to expect are often missing and can compromise security. Even without physical compromising the meter, side channel attacks and others are possible. One particular example we found is where a communications module is used and whereby the security key has to be transmitted over a physical bus from the main processor to the communications module, allowing it to be easily intercepted. This has also been demonstrated in Travis Goodspeed's article.3