7 serious smart meter security threats that do NOT involve hacking the network
When we think about smart meter security, we typically think of hackers who crack the network to get access to smart meters. Yes, that's a significant risk, but there's much more to it than that.
Kris Ardis is Executive Director for Energy Products at Maxim Integrated. In this first installment of a two-part series, he outlines seven security threats that do NOT involve hacking the network. Kris has a motive -- his firm sells solutions to these threats. But it is precisely that commercial motive that has led Maxim to study the issue carefully, so they can safeguard against them. I had my eyes opened. I think you will too. - Jesse Berst
By Kris Ardis
Battling threats in the smart grid supply chain
Security in the smart grid. This topic is getting a lot of attention from governments, utilities, and even consumers. The attention is warranted. Besides air, water, food, and shelter, electricity has become one of mankind’s most fundamental necessities. The reliable flow of electricity is certainly crucial to life in the industrialized world, and is a key factor in facilitating the development of emerging countries.
The prevalent discussion on security in the smart grid tends to focus on cyber security, in this case the ability of embedded devices to join networks and transact data over networks in an authenticated way. While this is a critical step in securing the supply of power to the world in a smart grid environment, this approach is too narrow. It ignores the threats to the smart grid from throughout the life cycle and supply chain of smart grid equipment.
In this article we will explore some threats to the smart grid that are ever present in the supply chain of a smart meter. We will explain why those threats must be considered and remedied to ensure the cyber security of the grid. Finally, we will assess the technologies available to combat these threats.
Why threaten the grid?
Why would anyone want to attack a smart meter? The answers vary.
In perhaps the most simple scenario, attackers might want to lower their own electricity bills. This objective is selfishâ€"attackers want to change the behavior of their smart meter to protect their own interests. In some cases, it could be organized criminal activity that wants to hide true consumption data (a common case is drug laboratories trying to disguise their consumption).
But what about attackers who deal at a more ideological level? It is no secret that many countries must handle the threat of terrorist attacks, perhaps even daily. While threats like bombs or airplane attacks are certainly scary, attacks against the electrical delivery grid could, in fact, be far more effective at disrupting the quality of life for a large number of people. An attacker who takes control of a few million meters could launch a very substantial public assault by disrupting the flow of electricity to a huge population.
Once an attacker can clone a meter, they are also a potential threat to alter the software deployed in a meter, as described above.
4. Replace legitimate meters with fakes
The plastics and markings on meters are far easier to duplicate than the functionality of a piece of silicon. In this scenario, an attacker manufactures a meter that visually resembles a legitimate meter, but the firmware contains a hidden attack. The planned attack could be economic, for the meter might be calibrated to incorrectly report on the amount of energy consumed. It might even be catastrophic if the meter allows an attacker to take control of its disconnect or to control the data reported back to the utility. An attack on a single meter is an inconvenience, but not a disaster. However, any attack against a quantity of meters can be infinitely more damaging. Imagine six million meters reporting the incorrect amount of electricity consumed. The utility would be working from incorrect data, hampering its ability to respond to changes in demand and generate the correct amount of power. Widespread grid instability and a massive loss of productivity are inevitable.
5. Recalibrate meters with insider access
Once a legitimate meter is deployed in the field, the attack threats do not cease. Imagine an attacker who works for the meter manufacturer and knows how to build an IR device that can communicate with a meter and change its calibration data. Such a device would be easy to manufacture and could alter any meter to underreport the amount of electricity consumed. While this might not cause a widespread failure of the grid, it could cause severe economic damage to the utility.
The attack described here is not theoretical. In fact, it was done already. You can read about this attack and other assaults on the grid at Maxim Integrated application note 5537, "Smart Grid Security: Recent History Demonstrates the Dire Need,” February 11, 2013.
6. Monitor and hack communications channels
This is the attack that the smart community is worried about! The fundamental issue is that the communication network around a smart meter could be hijacked to emulate commands to open its disconnect relay and, thus, disrupt service to a consumer. Alternatively, meter communication might be faked to report erroneous usage data. Utilities then might use this flawed smart-meter consumption data to make decisions about the amount of generation capacity needed or about volt/var optimization. If the data and commands here are not properly encrypted (hidden) and authenticated (validated), it provides an avenue for an attacker to influence or even control the smart grid.
7. Physically attack a meter to change code, retrieve keys
Once a meter is deployed, how secure is it really? The physical security of a meter is a critical consideration. The embedded endpoints of the smart grid (e.g., smart meters, grid sensors, distribution automation control points) are necessarily distributed and not protected by any physical means. Consequently, the endpoints of the smart grid are susceptible because they can easily be stolen, taken to a lab, and inspected at the leisure of an attacker.
In this scenario an attacker opens the meter, accesses the programming pins of the meter microcontroller, and loads new firmware to report incorrect usage data. Another attacker physically accesses the meter, then takes control of the internal memory of the meter microcontroller, and eventually dumps the secret communication keys. In these dangerous situations the attacker can decipher the smart grid’s network communications and initiate a wide range of disruptive actions.
How the life cycle threatens cybersecurity
We have been talking about physical threats to the smart meter life cycle. Let’s turn now and talk about cryptographic threats to grid communications.
The smart grid community is working very hard to ensure that the communications in the smart grid (i.e., data and commands) are secured and authenticated. Modern smart-meter standards are asking for AES encryption, if not elliptic curve techniques as well. These powerful algorithms can protect and validate data for decades, and are far more complex than the abilities of computing power to decipher within the next few decades.
In this case what is the threat? The commands and data in the smart grid network are cryptographically protected, and the algorithms used cannot be broken with raw processing power for a number of years, or well after we all plan to be in different careers or retired! Now the concern is not with the cryptographic protection on the data and commands. Instead, the potential weak, vulnerable entrÃ© for an attacker is the protection of the key material, the cryptographic secrets.
An attacker will take every opportunity to access key material (encryption keys), and target the lowest risk/cost options. Sniffing communication traffic and brute-force decryption could take decades, so the cost is high. But what about the cost of infiltrating a contract manufacturer in a foreign country to intercept secret keys loaded during the manufacturing cycle? Would this be a lower cost or lower risk option?
Looking back at each of the threat scenarios discussed above, an attacker could take advantage of each situation to compromise secret encryption keys. That would most definitely break the cyber security so carefully designed and implemented in the smart meter network:
Replace legitimate ICs with fakes
In this case, an attacker programs the fake or intercepted ICs to share memory contents with any other attacker. Secret keys loaded during the manufacturing cycle would be easily compromised since the fake (or intercepted) ICs could be programmed to share such data.
Succumb to social engineering and load bad software during manufacturing
If secret keys are programmed in the manufacturing environment, then social engineering approaches (e.g., bribes or other gifts) could be used to convince line workers to share the secret keys loaded during the process.
Steal software to clone a meter
If an attacker could rebuild the software that was to be loaded on a smart meter, they could structure the software to shareâ€"instead of protectâ€"secret encryption keys.
Replace legitimate meters with fakes
Fake meters could be programmed to share secret encryption keys with any adversary. If a backdoor was programmed into the fake meter, it could compromise any secrets loaded on a legitimate meter during the manufacturing process.
Recalibrate meters with insider access
To date publicized attacks to recalibrate meters have been for individual gain, i.e., lowering an individual’s electricity bill. A savvy insider could also program a backdoor into the production meter that would enable mass recalibration of meters. The resulting massive data inaccuracies across the grid could lead to bad decisions at the utility and to grid instability.
Monitor and hack communication channels
Hacking communication channels is the traditional attack that cyber security analysts consider. Modern cryptographic techniques can sufficiently stifle any assault, as long as the attacker has no opportunity to access cryptographic keying material.
Launch physical attacks on a meter to change code, retrieve keys
Many microcontrollers contain a means to dump the program code or data memory in a bootloader situation. Many products also support test mode. While these modes might be hidden, access to them can be discovered by a determined attacker who then gains access to any internal memory in the meter microcontroller. If the keying material is stored in on-chip memories, then it is vulnerable, and physical access to the meter is only a small step away from physically accessing the memory contents inside the meter microcontroller.
Kris Ardis is the Executive Director of Energy products at Maxim Integrated. He has been with Maxim for 17 years. Ardis holds a B.S. in Computer Science from the University of Texas.