Transmission & Distribution Technology
“Utility companies are in a powerful position to secure the smart grid because they can apply pressure to meter vendors so that they produce more secure devices.”
Joshua Pennell, IOActive.
critical to examine the security of these smart meter devices, which are appearing rapidly on homes across the globe. In 2008, IOActive researchers evaluated the security of a series of smart meter devices and uncovered several security vulnerabilities. In addition to being vulnerable to common attack vectors, IOActive achieved proof-of- concept, worm-able code execution on standard smart meters. Since the smart meter’s radio communication chipset is publicly sourced and the communication protocols lacked authentication and authorisation, IOActive researchers were able to leverage these weaknesses – among others – to produce a proof-of- concept worm. If an attacker were to install a malicious program on one meter, the internal firmware could be made to issue commands that would flash adjacent meters until all devices within an area were infected with the malicious firmware. Teoretically, once the worm spreads to meters, the attacker gains several abilities including connecting and disconnecting customers at predetermined times; changing metering data and calibration constants; changing the meter’s communication frequency; and rendering the meter non-functional. While IOActive’s findings are serious and warrant immediate attention, it is certainly not too late to secure the smart grid. So, how is that done, exactly? Just like remediating any serious security vulnerability, securing the smart grid is a joint effort that requires the support of utility companies, smart meter vendors, the government, and leading privacy and security experts. Utility companies are in a powerful position to
secure the smart grid because they can apply pressure to meter vendors so that they produce more secure devices. By continuing to conduct security reviews that test the meters’ security, quality, and reliability for the entire duration of the product lifecycle, utilities can ensure that meter vendors continually improve their security protocols. To help meter vendors develop more secure
products, IOActive advocates for the adoption of leading security methodologies including Microsoft’s Secure Development Lifecycle (SDL).
Third-party auditing Taking a proactive stance, the SDL implements security and privacy measures during each stage of a product’s development, requires third-party auditing, and conducts a final review before software is released.
Te SDL also makes business sense, as it is a
proven tool to save money – studies indicate that overall project costs are 60 times higher when gaps in information security controls are addressed late in the development phase. Following an SDL will help meter vendors resolve many of the design flaws discovered in their devices including the lack of layered defences.
Multiple layers of defence provide the best security, using the theory that if one mechanism fails you have several others to prevent a breach. It is especially important for smart meters to have a layered defence because they are installed on the outside of homes with minimal physical protection. Without a layered defence in place, someone with a basic understanding of electronics could easily steal a meter, reverse engineer it, and potentially uncover exploitable vulnerabilities.
Strong encryption Contributing to the lack of layered defences, IOActive discovered that strong encryption, authentication, and authorisations were often poorly implemented in smart meter devices. IOActive found that many devices do not use
encryption or implement any authentication before carrying out sensitive functions like executing software updates and performing disconnect operations. Even when meters had encryption algorithms in place, it was found that functionality was unmanageable, and that the keys were often exposed, extremely weak, and could be recovered through simple hardware hacking techniques. Just like the invention and implementation of
any new technology, the smart grid promises many benefits, but it also displays many weaknesses. A lot of work needs to be done to secure this critical infrastructure and it is fortunate that this effort currently is taking place. With the help of the government and security
experts, utilities are taking strides to improve the security of the smart grid and all of its components. As a result of improving security protocols, both consumers and utilities will thrive from the vast benefits of the smart grid, while ensuring the present and future safety of the world’s critical infrastructure. IOActive is an industry leader that offers
comprehensive computer security services with specializations in smart grid technologies, software assurance, and compliance. IOActive works with a Global 500 companies, including power and utility, game, hardware, retail, financial, media, travel, aerospace, healthcare, high- tech, social networking, and software development organisations. Infosecurity Europe runs a series events for
buyers and sellers in IT Security in Europe for sourcing opportunities, information updates and free educational forums, tackling the key technology issues set to affect your business. Forthcoming shows include: Infosecurity
Netherlands, 3rd–4th November 2010, Jaarbeurs Utrecht, Netherlands (
www.infosecurity.nl ) and Infosecurity Russia, 17th–19th November 2010, Sokolniki Expo & Cultural Center, Moscow, Russia (
www.infosecurityrussia.ru/2010). l
Joshua Pennell is with IOActive.
www.infosec.co.uk www.engineerlive.com
9
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52