The method by which we distribute energy has finally caught up with the rest of our technologically sophisticated society. The ‘smart grid’ promises to save money and resources, and offers a better method to track usage metrics. However, it also has proven itself to be an ideal attack target – as is common with early-to-market technologies – so we are duty bound to fully examine the implications of its deployment, as well as the inherent risks.
The smart grid connects local power distribution with the national infrastructure, where delivery is carried out by a two-way flow of electricity and real-time monitoring information. It leverages benefits of distributed computing and fault-tolerant communication to enable the near-instantaneous balance of supply and demand at the device level – thanks, in part, to the critical Advanced Metering Infrastructure (AMI), or smart meter network. These dual-purpose, distribution and end point meters combine a wireless network interface with mesh networking software to facilitate automatic updates and remote disconnect capabilities.
Estimates on the number of meters deployed in the US range from two to eight million, and that number is rising due to their low cost point and the American Recovery and Reinvestment Act of 2009, which set aside $11 billion specifically for “smart grid activities”. By promising utilities and customers greater control of electricity usage, increased savings, and improved service, smart meters appear to be an optimal solution, but we are seeing that there can be a negative side to ‘smart’.
Privacy activists contend that the meters go too far in their extensive data collection, some of which could represent personally identifiable information, which introduces the need for strict privacy controls. Moving forward, as the grid becomes increasingly sophisticated and more integrated with Internet-type concepts, new attack vectors will arise where malicious users can exploit vulnerabilities and threaten the entire infrastructure’s integrity.
Smart grid weaknesses
Smart meters lack the security protections that are standard on modern computers and networks – a reality that IOActive discovered through extensive smart meter research. Tests uncovered a range of vulnerabilities and programming errors, including buffer overflows, as well as root kits, which could be assembled into self-propagating, malicious software.
Even worse, IOActive executed ‘worm-able’ code on standard meters, which means that if an attacker installed a malicious program on one meter, that meter would communicate with, or ‘flash’, adjacent meters, spreading the worm until all devices in the area had become infected. The attacker then could disconnect customers, change metering data and calibration constants, and even render the meters non-functional.
Assuming the infection had not damaged the meters’ remote flashing capabilities, changed the meters’ communication frequency, or altered the meters’ calibration settings, widespread infection with a malicious worm would necessitate publishing a firmware update to overwrite the worm and return the system to normal operation. However, the reality of a malicious attack is far more devastating.
That attack likely would disable either the wireless update mechanisms or calibration settings, and if the meters supported remote disconnect functionality, then they would have been instructed to disconnect service to individual customers or an entire service area. In this scenario, the power utility would require enough time to reverse engineer the vulnerability and comprehend it fully enough to develop a patch, which would then need to be manually installed on each affected meter to resume normal operation. And that assumes the meters could be salvaged; if not, they would need to be replaced.
A bright path forward
Is it possible to move past the security vulnerabilities discovered in smart meter devices, to forge a path toward responsible management of the advanced metering infrastructure so that we can realize the benefits of smart power distribution? IOActive believes so.
For starters, the American Recovery and Reinvestment Act of 2009 stipulates that to receive stimulus money, each utility must present their plan for performing cybersecurity due diligence, which puts them in a powerful position – they can pressure meter vendors to produce more secure devices. Utilities also can drive competition in the smart meter market by performing security reviews on devices from several different manufacturers. Continually testing the security, quality, and reliability of a chosen vendor’s products for the duration of its lifecycle ensures the ongoing improvement of security protocols.
In this same vein, IOActive encourages AMI vendors to adopt a formal secure development lifecycle (SDL) to both guide and govern the release of products that are better able to withstand malicious attacks. An SDL accounts for security and privacy during each development stage, and requires that a final review occur before product release. By adopting an SDL, smart meter vendors would make the critical shift to treating security as an integral feature-set instead of an inconvenient afterthought.
AMI vendors would also save money via adoption of an SDL – studies show that project costs are 60 times higher when information security control gaps are addressed late in development. Following an SDL also will help meter vendors correct many discovered design flaws and employ the most basic rule of security: layer your defenses. Smart meters currently have few defense layers and often ignore basic security practices, such as authentication and encryption.
So what’s the good news for utility companies, meter vendors, and energy users? There is still time to repair the smart grid infrastructure. Governments – in combination with security and privacy experts – can help utility companies embrace their role as watch guards of our energy ecosystem by holding their vendors responsible for product security. By increasing our focus on necessary security and privacy protocols, utilities and customers can benefit from the smart grid, while still maintaining the safety and integrity of this critical infrastructure.
As IOActive's founder and president, Joshua Pennell has an 11-year entrepreneurial track record of creating and maintaining a multimillion-dollar, customer-focused, independent global security services organization. Through Pennell's leadership, IOActive has emerged as one of the world's longest standing, highly technical boutique security consultancies with a history based on cutting-edge research and meritocratic governance.
Pennell serves on the advisory boards of Source, Vantos, and SiteScout. He is also the chairman of IOActive's advisory board, which includes such computer industry venerables as Steve Wozniak, Jim Reavis, and Jason Larsen. In years past, Pennell played an integral role in helping his team win Defcon’s Capture the Flag competition for three consecutive years, followed by another three years of technically revolutionizing the competition before handing the game over to Kenshoto.
IOActive is exhibiting at Infosecurity Europe 2010, the No. 1 industry event in Europe held on 27th – 29th April in its new venue, Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies, and offers practical and professional expertise. For further information please visit www.infosec.co.uk.