Recognize the Threat and Secure the Smart Meter



Security for the smart grid has made headlines over the last several years, showing there is still much work to be done, especially to protect “endpoints” like meters and grid sensors.

The Threats
Most threats to the smart grid fall into one of two large categories: localized individual and widespread social. We will consider those threats with respect to the major components of the grid: utility control, communication network, and endpoints (Figure 1).

121203_smartenergy_1
Figure 1: Simple smart grid model shows that utilities gather data through a communication network from an endpoint.

With an individual threat, the attacker aims to manipulate smart-grid data for personal gain – perhaps to lower an electricity bill. This threat does not seek to disrupt the management of the electrical grid for others.

The second category is a societal threat and includes activities that try to harm the operation of the electrical grid. This might be an attack on the utility itself. Or the attack might be on society in general, the extreme example of which is a terrorist attack that leaves the electrical grid inoperable and customers without power. Without reliable electricity delivery, productivity and financial losses would be staggering.

The Weakest Link
Where does an attack yield the desired result with the least amount of investment and risk to the attacker? We use our simple “utility to endpoint” model for both threat scenarios to see how an attacker might achieve his goals. (Or her goals. We acknowledge that women are just as capable of these disruptive activities as men. That said, we continue to speak of men because, well…it is simply easier in the narrative.)

  1. Individual threat.
    A hacker who wants to lower his electricity bill could infiltrate the utility control room and change the records collected from his meter. As another option, he could intercept the communication that relays consumption information to the utility. Finally, he could alter the firmware on his meter to underreport the amount of power consumed. Any of these approaches achieves the desired goal, but requires very different investments from the attacker.
  2. Societal threat.
    The example is a terrorist who wants to disrupt the flow of electricity to the maximum number of users. Again, the attacker could infiltrate the utility control room and arrange the remote disconnect of a number of meters or shut down the supply of electricity at certain substations. The attacker could also inject instructions onto the communication bus to issue commands to do the same. Finally, the attacker could take direct control of either the meters, programming them to activate their remote disconnect relays, or the sensors so they feed false data to the utility, causing the utility to shut down certain segments of the grid.

Consider how an attacker is likely to view the three major segments. First, the utility control room itself. An attack against a utility control room would yield the highest amount of control over the grid; however, it is a high-risk attack. Utility control rooms are likely to be well-protected, with good access control and concurrent authentication procedures in place. It would also be extremely difficult to hide the attack – if control room personnel do not catch the offender, security cameras will record it. With these protections, an attacker might consider exploiting an insider to assist him. However, a utility control room probably has procedures to prevent any one person from making wholesale changes that could threaten the operation of the electrical grid; multiple people are required to consent to any such action. Consequently, any attacker would need multiple people “inside.”

So where does the attacker look next? The communication channel. Most of the dialog on smart-grid security has focused on the communication channel. Many systems deployed use strong cryptographic technology to protect the data and commands while in transit between smart-grid endpoints and the utility command centers. To attack the communication channel, one needs to discover the secret encryption or authentication keys. Reliable, publicly known communication protocols will not share the secret keys. This means that an attacker must either discover the secret keys from the utility/endpoint, or use a brute-force attack on the encryption/authentication scheme of the channel. The first option is actually not an attack on the channel itself, but an attack on the other major components of the grid. A brute-force attack is not likely to yield results. Common encryption algorithms like AES-128 are computationally infeasible to attack in a brute-force manner; it would take years (or decades) for super-fast computers to guess the correct secret key data, which would be long after the useful life of the data.

The attacker then turns to the smart-grid endpoints themselves. These are devices like smart meters or grid health sensors. This equipment is more appealing because the endpoints are not well guarded, are widely dispersed on the sides of residences, or attached to remote transmission wires. This vulnerability gives an attacker more opportunity to study and try different attacks.

Attacking a Deployed Meter
Following our consideration of individual threats, the attacker would do best to attack a deployed meter directly. The goal might be to change the current-sensing mechanism so it appears that less power is consumed. Perhaps the plan is to reverse-engineer the software in the meter and alter the reported power usage.

The societal attack might start in a similar way. An attacker studies a meter to understand its functions, but here the ultimate goal is more advanced. He might want to extract cryptographic keys, reverse-engineer the communication protocol and reprogram the meter. If he finds a repeatable attack (i.e., one which can easily be configured to attack multiple meters at the same time), he could reprogram a large number of meters to underreport power consumption or simultaneously disconnect on a given date and time.

Countering the Attack
Embedded security technology from markets such as financial terminals does an excellent job of countering these attacks on individual meters. This security technology integrates the means to deter both physical attacks that aim to forcibly control or inspect an embedded system and logical attacks that aim to analyze the memory, applications or protocols running on an embedded system.

Embedded products with physical attack-detection mechanisms detect when a system becomes compromised. These products use physical sensors like case-open switches, blind switches, motion detectors, and environmental sensors to detect attacks. When a threat is detected, the meter can take action, such as trying to contact the utility or even deleting secret cryptographic keys. (It may be better to delete those keys than expose them to an attacker.)

There are also logical techniques that apply to attacks on deployed meters. Secure on-chip memories can be locked and encrypted so that an attacker has difficulty reading or reverse-engineering the software. Secure bootloaders can lock the device at manufacturing time to ensure that an attacker cannot load an unauthorized version of software on the meter.

Techniques to secure deployed meters can also mitigate the societal threat to some extent. Meters with unique encryption keys make sure that if an attacker extracts one meter’s key, the attacker cannot know the next meter’s key. If extraction of a single secret key is difficult enough (with the physical and logical protections just mentioned), then it increases the challenge of a societal threat being carried out against a large number of deployed meters.

Attacking the Supply Chain
A handful of existing embedded security technologies can be implemented to mitigate the dangerous societal threat against deployed meters and the smart grid. However, now we must consider attacks beyond those against deployed meters and focus on the entire lifecycle of grid components.

The manufacturing environment is an early stage in the lifecycle of an electricity meter. It is also one of the most risky places for IP. There is the conventional threat of theft from off-shore manufacturing, or the fact that your on-shore (or even on-site!) manufacturing is operated by low-paid technicians susceptible to social engineering (as simple as a bribe or as dramatic as kidnapping a family member to convince someone to take a role in your attack). In this environment, IP can be stolen for reverse-engineering study; new and dangerous IP could even be deployed on your products.

A determined attacker could reverse engineer a meter’s software and install a virus to activate the remote disconnect, shut down the meter’s communication and erase all of its internal memory at a set date and time. The attacker then substitutes this IP in the manufacturing flow. The effect would be devastating – a utility rollout of millions of meters, all of which cut off customer electricity at a given time. Meters would need to be individually serviced or replaced over a course of months, and at great expense.

There is a solution and counterbalance to these threats before the meters are deployed. Embedded security products can mitigate the threats with features like secure bootloaders, secure memory and lifecycle management. A secure bootloader can be used to load only encrypted versions of meter software. A meter designer or software provider can send the encrypted application to the manufacturing location, and the secure bootloader in the system microcontroller can decrypt and store the application. Secure memories (internal or external) can also store application code in encrypted form, making it infeasible to read the application contents and reverse engineer or copy it.

Secure lifecycle protections can be used to validate the actual supply chain. Silicon manufacturers can lock their devices so that only one customer can unlock it and install code. A meter OEM can lock its meter so that only the intended utility may unlock and deploy it. As more security is added to the supply chain, the threat of societal attacks through the meter is reduced.

The Solution?
We need to face a hard fact: there will be no perfect security solution for the smart grid. Perfect security costs an infinite amount of time and money to develop. However, if we leverage the vast number of secure techniques and technologies from the world of financial transactions and government applications, we can enable a higher level of physical and logical security for the embedded endpoints of the smart grid.

 


ardis_kristopher

Kris Ardis is the business director of smart grid products at Maxim Integrated. He has been with Maxim for 15 years. Ardis holds a B.S. in computer science from the University of Texas.

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google
  • TwitThis