How to keep your smart meters safe from attack (and not just cyber-attacks)
In Part One of this two-part series, Maxim Integrated's Kris Ardis warned us of seven serious threats to smart meter security above and beyond cybersecurity. Now he is back to explain the solutions to those dangers. He describes the methods used by Maxim in the products it sells, but you don't have to buy the products to appreciate and learn from the approach. - Jesse Berst
By Kris Ardis
Combating threats to the smart meter life cycle
So far we have outlined security threats to the smart meter and to its security software. While the above examples cannot be considered exhaustive, these threats are real indeed. They prove that anyone or any agency deploying an embedded smart grid device must analyze and anticipate any potential threats to the grid itself. Therefore, it is important for us to consider the technology available to combat these identified threats.
Ensure legitimate ICs with no fakes
We must be certain that silicon delivered to a manufacturing plant is legitimate, unaltered, and not substituted with fake materials. Procedural controls are our first line of defense. We must enforce legitimate supply chains. Only purchase components directly from the original supplier or from authorized supply chains. The risk here is procuring materials from third parties or brokers who are not subject to rigorous tracking procedures that verify legitimate, untampered material.
While these procedural controls can be effective, they will not stop a truly determined attacker with the considerable resources to replace legitimate material with convincing fakes. In this case, a secure bootloader can deter the attack. A secure bootloader, loaded into the appropriate silicon during manufacturing, can be locked through advanced encryption techniques like a shared AES key or with the private key of the silicon manufacturer. When the meter manufacturer receives the silicon, they can then use those same advanced cryptographic tools to ensure that the silicon was securely locked by the silicon manufacturer.
Thwart social engineering and load only authentic software during manufacturing
Once again, procedural controls can help here. For example, requiring two or more random line workers to "validate” the firmware that is being loaded can help deter attacks.
Procedural controls can help, but advanced security techniques built into the silicon provide the most robust solution. The secure bootloader highlighted above can let a meter manufacturer deliver encrypted, digitally signed code into the meter. In fact, the contract manufacturer or manufacturing site might only have access to the encrypted version of the application software. The secure bootloader on the metering IC safely decrypts and stores the plain version of the software internally. This process prevents attackers from stealing the firmware for cloning or reverse engineering a meter since it is never available in plaintext between the meter designer and the meter itself. It also can stop an attacker from introducing new firmware into the manufacturing chain, because any firmware loaded onto the metering IC would need to be signed and encrypted by an authorized person.
Safeguard software to prevent cloning meters
Using this same secure bootloader, the manufacturing site only needs to store an encrypted version of the application software. Now any attacker who steals the encrypted software cannot reverse engineer it. Meanwhile, the secret key programmed into the secure bootloader is specific to meters produced by each authorized end-meter manufacturer. Consequently, encrypted software has little value to an attacker attempting to clone meters. To clone a meter, an attacker would need to steal ICs destined for a particular end customer, since no other silicon would be preprogrammed with the appropriate secret key.
There is increasing interest in using asymmetric schemes where the "signer” has two keys: one shared key (public) and one secret key (private). The keys essentially undo the operation of the other. In simple terms, the signer uses their private key on a piece of data to generate a signature; everyone can validate that the signature came from the signer because they know his/her public key and use it to reverse the operation. Elliptic curve techniques are gaining interest for the smart grid (ECC, ECDSA) because of the small key sizes (256 bits instead of 4096 bits needed for algorithms such as RSA) and high level of security.
Launch physical attacks on a meter to change code, retrieve keys
While cyber securityâ€"the encryption of communication channels in smart meteringâ€"gets a lot of attention, it is not the only security concern of a meter while deployed. A smart meter is fundamentally in a high risk area; it is not physically protected or monitored. A technologically advanced attacker’s best route to analyze a smart meter is to procure one and spend significant time with the meter. Since meters exist on every house, it is very easy and very low risk for an attacker to acquire meters and bring them to a hidden lab for analysis.
The best protection to these threats comes from the financial terminal industry. In that industry, silicon for financial terminals integrate sensors that actively monitor physical threats (such as device intrusions, threatening temperature and voltage conditions, and even chip-level physical inspection) and erase secret keys stored in NVSRAM in the event of any detected attack. This technology can ensure that any physical attack on the meter results both in a permanent disabling of the meter and the erasure of any critically sensitive information, including security keys.
Secure technology embedded in the smart grid
The scenarios presented here have outlined a host of security threats and the technologies to thwart those threats.
Now this technology is available commercially. For years, Maxim Integrated has provided security solutions to the financial terminal and credit card industries, solutions that are trusted worldwide. The security of financial transactions is extremely high, while the successful growth of that industry is the foundation of the modern growth of electronic commerce. And it is this high level of security that creates the demand for the embedded silicon that we have been discussing.
Threats to the smart grid are potentially far more damaging than threats to the financial terminal industry. Who would argue that the widespread and prolonged loss of electricity would be far more damaging than the inability to process card transactions? Maxim is responding with secure products, such as the MAX71637 energy-measurement SoC, that integrate the highest level of security technology. Now you can secure the entire life cycle of smart grid equipment, from design to manufacturing, to mission mode, to the end of the device’s useful life. This is really the only way that utilities and we consumers will capitalize on the many benefits of the smart grid.
Kris Ardis is the Executive Director of Energy products at Maxim Integrated. He has been with Maxim for 17 years. Ardis holds a B.S. in Computer Science from the University of Texas.