Securing the life cycle in the smart grid

Kris Ardis, Business Director, Smart Grid Products, Maxim Integrated



Click image to enlarge

Figure 1: A conscientious life-cycle design will consider threats at every step of product development and manufacturing.

Investment in smart meters and smart-grid end equipment continues to grow worldwide as countries try to make their electric delivery systems more efficient. As critical as the electric delivery infrastructure is, it is normally not secure, and thus is subject to attack. The concept of life-cycle security encompasses the idea that embedded equipment in the smart grid must have security designed into the entire life of the product, even back to the contract manufacturer. Security is an increasingly critical subject in the smart grid. With regular attacks on smart-grid infrastructure, there is a clear threat: The stable supply of electricity in every nation is at risk of compromise by unfriendly forces. In response, there is a great focus on IT security. Many systems support end-to-end encryption between embedded data-collection devices on the smart grid and the SCADA (supervisory control and data acquisition) systems that analyze and react to the data. This focus on IT security is undoubtedly critical, as systems must protect data in flight with standards-based cryptography. However, even with the strongest end-to-end encryption, there is a severe shortcoming in smart-grid security: The embedded device itself is highly vulnerable to attack. Encryption is security, right? While cryptographic tools are critical for ensuring the privacy and authenticity of transmitted data and commands, it is important to note that it is only solves one part of the problem. Encryption's greatest value is to protect data when it is in transit or in storage to prevent deciphering or forgery. While there are some who believe that a complex RF or power-line carrier that relies on frequency hopping provides enough security to obscure data, this is a protection easily broken by attackers. Imagine if an attacker could generate an arbitrary command to open the remote disconnect switch in a smart meter. Such an act could disrupt electric service for a large number of people and service requests would swamp the utility. Not only could this result in a significant loss of revenue to the utility and impose severe inconveniences on its customers, it could be life threatening in regions where, for example, air conditioning is a necessity. What happens to the data before it enters the pipe and after it exits? There are encryption keys at either end of communication pipes that encrypt, decrypt, authenticate, or validate the data in transit. While the encryption of the data in the pipe is critical to secure information as it passes from embedded sensor to the control system, the protection of the secret keys used in the encryption is even more important. A security compromise affecting the keys can compromise the security of the network. Embedded endpoints in the smart grid must consider key security to provide more complete system security. Secure financial terminal technology, for example, emphasizes key protection, using multiple layers of protection to protect on-chip keys from physical and analytical attacks. The validity of data and commands flowing in the smart grid is not the only avenue of attack to disrupt the supply of electricity. Clever viruses such as Stuxnet have proven the danger of attacks that change the fundamental behavior of embedded equipment in a manner that is difficult to detect. A class of threats called zero-day attacks exploits systems that allow erasure or reprogramming, breaking a system in undetectable ways. We need not only worry about equipment when it is deployed, but at any time it is vulnerable to improper programming—including during manufacturing. But what could go wrong? Designing for security is difficult, time consuming, and requires security expertise. Is the investment really worth it? For a moment, let's consider a deployed smart meter. Since meters generally sit unprotected on our homes, it is easy for an outsider to gain access. If a meter uses a conventional microcontroller for applications and communication processing, it is likely that there is an attack path through the programming interface, allowing the attacker to reprogram the meter or read out its contents. With enough resources and time, someone could even create a program that behaves exactly like the previous meter program, but with hidden viruses that collect key data or alter the reporting of electricity consumption. Deployed meters require protection to ensure their functions are inalterable. However, if we look back in time, we see a moment when the meter is even more vulnerable—the manufacturing floor. There is always the possibility that social engineering can give attackers access to your IP and manufacturing flow. Armed with a few thousand dollars, an attacker could procure your software, reverse engineer it, alter it, and provide a new program to the manufacturing flow. Additionally, the attacker could sell the software to a competitor, giving another company an unfair benefit from your research and design expenses. How to secure the life cycle A conscientious life-cycle design will consider threats at every step of product development and manufacturing, and determine if those threats warrant countermeasures (Figure 1). To implement a secure life cycle, consider the following: 1. Make sure you procure valid silicon. Purchasing through authorized or direct channels can help, but there are cryptographic techniques as well. Some IC manufacturers, including Maxim Integrated, sell secure microcontrollers and smart-grid products preprogrammed with the customer's key or certificate, ensuring that only the intended customer can unlock and program that IC. 2. Protect your IP. Deliver signed, encrypted code to your manufacturing operation. This requires cooperation from a secure bootloader inside your system microcontroller to decrypt and authenticate the software once delivered to the chip. The encryption protects against reverse engineering or cloning. 3. Only run the code you intended to run. A secure bootloader can use the digital signature on your software to validate the authenticity of the code before loading or running the application. 4. Trust who you are communicating with. Encrypt and sign new configurations, firmware updates, and commands to validate that they issue from a trusted source. 5. Protect your keys in the field. Don't store encryption keys in an IC separate from where you will use the key, such as in an external EEPROM. If you have a separate secure microcontroller and applications processor, keep the keys in the secure chip and never send them anywhere else. Keys transmitted across PCB traces are easy for an attacker to extract. 6. Protect your keys inside your company. Use development keys for engineering to design security features into your products. Protect access to the production keys by requiring multiple users to authorize the use of production keys. An HSM (high-security module) can help implement some of these policies. 7. Don't rely on a single point of failure. If an attacker only needs to extract keying material from one meter to break the system, they can invest more time and money into that attack knowing that they can then break the entire system. Sophisticated attackers might even decapsulate the IC package and microprobe memories in search of keying material. Use unique keys or use asymmetric cryptographic schemes like elliptic-curve digital signatures. Maxim Integrated