How to secure the smart grid and SCADA

Transcription

How to secure the smart grid and SCADA
How to secure the smart grid and SCADA
Know the areas of the smart grid that demand extra care when it comes to security
measures and why these particular areas are vulnerable today.
By Johan Dams
Technical Director
WRD Systems
We usually read articles about stolen Social Security Numbers, stolen credit-card information, data theft and other
security breaches in a wide variety of businesses and organisations. The energy sector is not immune to these risks.
With the increasing implementation of smart-grid technologies and the use of networked devices therein, the
energy sector becomes an ever more viable and attractive target. This article identifies areas of the smart grid that
demand extra care when it comes to security measures and why these particular areas are vulnerable today.
Although the smart grid is much more than just remote meter reading, we want to start this paper with a security
example that exists today and is that implemented on a large scale. Automatic meter reading (AMR) and the buildup towards advanced metering infrastructure (AMI) has already been deployed in the United States and forms an
interesting beginning for the security discussion.
Remote metering makes it easier and more efficient for energy providers to bill their customers. Timely read-outs
of the meter, such as once a day, allows for accurate and up-to-date information on customer usage patterns, which
in turn allows for energy companies to optimise their energy generation process. The meters themselves are
equipped with a transmitter/receiver capability, which either can be read remotely from a handheld device or over
the air over long distances using RF technologies.
Initial observations of existing smart meters
Some of the issues we found during the inspection of such a widely deployed meter include, but are not limited to:
• No encryption of the data sent or received by the meter
• No authentication procedure between meter and local / remote reader
• Potential to read and write (modify) the program code stored in the meter electronics
Meters that do implement some level of authentication and password protection have serious flaws in their
implementation. For example, a metering protocol such as IEC60870-5-102 (which is luckily not widely adapted,
but serves fine as an example) have functions to read data from the meter that do not require authentication and
another set of functions such as for example the disconnect that needs a password. One particular meter we
reviewed allowed one to retrieve said password using the unprotected read function, making the authentication for
the disconnect function pointless. Other such findings have been previously published by security researchers, such
as in C4 Security's article "The Dark Side of the Smart Grid -- Smart Meters (in)Security."1 Another example that
presented a highly publicized smart-meter hack is described by Mike Davis in "SmartGrid Device Security,
Adventures in a New Medium."2
While one might assume that the data contained on and transmitted from a simple device such as this is nonsensitive, this is definitely not the case. Usage patterns obtained from the device provide valuable information
which can indicate when someone is physically present and therefore can be utilised to determine the time frames
when the location is unoccupied. This information can be easily gathered and used to plan a break-in. If suddenly
usage patterns decrease, this can be an indication that the occupants are on holiday. All this information can be
easily gathered without having to have a physical presence near the target house to monitor for such patterns, by
deploying an electronic data logger somewhere in the neighbourhood. Indeed, it becomes easy to monitor multiple
targets at once.
Furthermore, many of these meters contain a remote 'disable' feature, which can be used to remotely disconnect
the supply of electricity, for example because the end user did not pay the bill. Since the meter does not have
adequate security measures in place, it is straight forward to exploit this feature for example to turn off the
electricity (and possibly security systems) to a house, perhaps for vandalism, or because it is targeted for robbery.
Since the on-board meter electronics are not well protected due to an easily bypassed tamper protection, the code
running on the meter could be downloaded. This means that an attacker can study the code to develop a deep
understanding of its operations, and look for potential security issues. Additionally, since these devices have few
resources and are design for low power consumption, features such as a proper random number generator,
cryptographic accelerators, and other features we've come to expect are often missing and can compromise
security. Even without physical compromising the meter, side channel attacks and others are possible. One
particular example we found is where a communications module is used and whereby the security key has to be
transmitted over a physical bus from the main processor to the communications module, allowing it to be easily
intercepted. This has also been demonstrated in Travis Goodspeed's article.3
EE Times-India | eetindia.com
Copyright © 2013 eMedia Asia Ltd.
Page 1 of 4
More than meters
Of course, the smart grid is much more than just metering. Figure 1 shows the different levels from a high level, all
of which need special care when it comes to security. We'll discuss these other domains in the next section.
Figure 1: The smart grid.
Security
Security is one of those areas that very often gets ignored because it's seen as an overhead expense, not as
something that adds value and can be charged for. It also slows the development process: it's not something that
can be added on at a later time, it has to be part of the overall design. Security should be a focal point, but currently
it's not due to cost and time-to-market pressure. Security must be a planned up front investment.
Many of the device manufacturers have no real experience with security in the first place -- it has never been an
issue in the past. In addition, developers do not really think in terms of security. They might implement some basic
security as a bare-bones solution, but it's usually nothing that will hold up for a long time.
The more the smart grid becomes a reality (the complete grid, not just smart meters), the more it will become a
primary target for attacks. Security is an area where knowing a little on the topic is extremely dangerous: people
implementing cryptography (or worse, rolling their own) think it works, without realising or even being able to
identify the gaping holes they left behind, or just not being able to see that their implementation is wrong due to
lack of knowledge on the subject at hand.
When we see the current security problems in other sectors, such as at banks, medical facilities, credit card
numbers that get stolen, Social Security numbers in plain sight unencrypted, the ease with which password
databases seem to be hacked, and so on, it's obvious to us that not even the basic concepts (like a password with a
proper salt and proper password hash function) are known, understood, and properly implemented. And this is in a
business sector that has years of experience with this matter. To believe that the smart grid will be different is
wishful thinking.
Securing SCADA
We can already see some of the problems today in a different segment of the smart grid: SCADA systems. SCADA
systems form the core control systems and monitor the power plants and other large infrastructure. At some point
in the past, these systems became interconnected. First over private networks, and later over the public Internet.
However, these systems were never designed with that capability in mind. They have never had strong security
components integrated, since they were never planned to be connected to a public network where anyone could
attempt to hack into the critical areas.
The issue is that these systems today are migrating to world of open IT standards such as TCP/IP, Ethernet, etc, to
communicate and interact. While this also allows them to inherit the security mechanisms from that world, these
mechanisms are in our view not the proper ways to secure critical infrastructure. Assuming your security
implementation is good just because other people use it and have not run into problems, does not mean your
security is truly good. When security on critical systems fails, it does not just break a single banking site or
corporate network -- breakage can mean that entire power-grid segments will fail, with much more serious results.
Similar conclusions were drawn in "Security of power grids: a European perspective."5
EE Times-India | eetindia.com
Copyright © 2013 eMedia Asia Ltd.
Page 2 of 4
Security is also not just about encryption. Even if the data itself is encrypted, there can still be tell tale signals that
leak out that might be able to allow an attacker to identify, learn, and abuse. The communication infrastructure
should ensure that information leaks of this kind do not occur, in order to guarantee that the communicating
entities remain anonymous. For example, while a secure connection with a bank might not be easily broken in itself,
other network traffic that is present and which might have nothing to do with the banking itself can leave clues and
critical information behind. The same is true for computers running SCADA systems or other devices on the smartgrid network.
Finding solutions to these problems requires specific expertise and costs money to do properly. However, these
solutions do not necessarily eliminate other types of attacks such as denial of service attacks. Especially when
coordinated, these kinds of attacks can easily disrupt normal operation in a network. If there are time critical
aspects (such as is the case with SCADA, IEC61850, and others), this can severely impact the operation of the
distribution grid. Also, since smart meters and other embedded systems are generally very low-power devices with
very little resources, setting up a proper defence at their end is nearly impossible. Attacks can include malformed
packets being injected in the network and these can disrupt normal operations because the embedded devices do
not know how to properly discard them, perhaps because they don't have enough input validation code.
The use of a generic operating system, such as Microsoft Windows, brings with it all the security issues that
corporate network administrators experience today. A generic operating system is not a intelligent choice to use in
critical infrastructure. Recent attacks against SCADA systems, such as Stuxnet, have been in part very successful due
to the target systems running generic operating systems, for example it is possible to compromise a system just by
inserting an infected USB stick.
Furthermore, while a corporate network is relatively isolated, the smart grid is much more distributed, and
therefore becomes a very large network that is difficult to manage when it comes to security. Existing tools simply
do not scale well to this magnitude.
Substation automation
Let's take IEC 61850 as an example. It is an international standard which provides a very detailed specification of a
layered substation communication architecture. This architecture is composed of abstract definitions of classes and
services independent of underlying protocol stacks and deployment platforms. A simplified overview is given in
figure 2. The standard was originally developed for substation automation and its models are applicable to intersubstation communications. The standard also provides for substation-to-control-centre communications,
distributed automation communications, metering, equipment connection monitoring and diagnosis, and intelligent
electronic device (IED) to engineering systems communication.
Figure 2: IEC 61850.
It was not however, developed with security in mind; that capability is described in the separate IEC62351
standard. It relies on SSL/TLS for message confidentiality and on commonly deployed hashing algorithms and
public key cryptographic algorithms for integrity and authentication. However, IEC 61850 has very strict latency
requirements -- less than 4ms. Together with the need to increase the key length over time, we see that the amount
of time to encrypt/decrypt and authenticate adds to the latency challenge.
EE Times-India | eetindia.com
Copyright © 2013 eMedia Asia Ltd.
Page 3 of 4
To prevent this, we could opt for faster processors in IEDs, processors with embedded cryptographic accelerators,
ASIC based co-processors etc., however there are serious constraints (see Hohlbaum's article)5 that limit these
potential improvements, such as:
• IEDs are enclosed to prevent dust and dirt, making fans useless for cooling the faster devices.
• Processing power will always be limited when compared with the state of the art for which many
cryptographic protocols are designed.
• A typical IED has a life time of ~10 years and it must be backward compatible.
• Cost impacts of some of the hardware decisions can be prohibitive.
• All the authentication certificates need to be handled properly somehow.
A practical attack on a IEC 61850 GOOSE message, used for trips, alarms, interlocking and status, can be performed
as explained in Juan Esteban Hoyos Pareja et. al.4 Even without the ability to decode and spoof the messages, the
network could be disrupted in such a way that it becomes congested (by use of a denial of service attack), causing
messages to be delayed, or not to be delivered at all. Since latency is very important (recall < 4ms), this can lead to
serious problems.
Furthermore, IED and other devices' software implementations could be vulnerable through buffer
overrun/overflow exploits. These exploits are very well known and form attack vectors through which virus and
other malware can be injected, or which can simply cause the device in question to freeze or become unstable.
When these kinds of problems are identified and the device in question is already deployed, they can be fixed
through remote firmware updates -- after all "what is considered secure today may be proven otherwise
tomorrow." However, this mechanism in itself presents itself as an attack vector if the mechanism can be exploited
by an attacker. For example, an attacker could use implementation faults in the update mechanism to upload a
modified and compromised version of the firmware and prevent future legitimate firmware updates.
Special needs
A chain is only as strong as its weakest link, and the smart grid as envisioned today is a very long and diverse chain
indeed. Security issues exist at several levels in the smart grid, starting at the smart meter in the homes of
consumers and continuing all the way to the SCADA systems monitoring the power generation and including the
substations in between. All these systems are very different from one another, meaning that security solutions
implemented at one level do not translate directly to all other levels. This stands in sharp contrast to the traditional
corporate network and thus the solutions developed for these traditional computer networks are not directly suited
and probably not the best match for the smart grid.
Code that is deployed inside smart meters and other devices can contain various security problems that are not
identified during testing. It is therefore crucial that thorough code reviews are done by security experts within the
embedded field. These reviews need to be done independently from the core development team to eliminate bias
and to make sure that an independent set of eyes can do the review, not someone who has been working on, tested,
or designed the software in the first place. Furthermore, the deployment of proprietary protocols and custom
security implementations that have not been subjected to peer review by the security community do not help at all.
These practices should be abolished and open standards have to be developed across all aspects of the smart grid.
Finally, let's not forget another important link in the chain: the human factor. It is important that employees have
adequate training in order to prevent social attacks, something for which there is no technical solution. References
1. C4 Security. "The Dark Side of the Smart Grid -- Smart Meters (in)Security," 2009.
2. Davis, Mike. "SmartGrid Device Security, Adventures in a New Medium," Black Hat USA 2009.
3. Goodspeed, Travis. "Extracting Keys from Second Generation Zigbee Chips," Black Hat USA.
4. Juan Esteban Hoyos Pareja, Timothy X. Brown, Mark Dehus. "A Practical Attack on Cyber-infrastructure,"
University of Colorado, Boulder, 2012.
5. Hohlbaum, Frank, Markus Braendle, and Fernando Alvarez. "Cyber Security Practical considerations for
implementing IEC 62351," ABB, 2010.
6. Leita, Corrado and Marc Dacier. "Security of power grids: a European perspective," Symantic, 2012.
About the author
During his professional career, Johan Dams has been involved in many projects around the world in the fields of
embedded systems, software engineering, and security among others. He is a published researcher working in the
fields of cryptography and robotics and has over ten years of experience running software teams. He is the systems
technical director at WRD Systems and is a lecturer at the Vaasa University of Applied Sciences in Finland.
EE Times-India | eetindia.com
Copyright © 2013 eMedia Asia Ltd.
Page 4 of 4