Smart-grid security: history demonstrates need

Dave Andeen, Strategic Segment Manager for Energy, Maxim Integrated



The smart grid surrounds us these days. In the U.S., approximately 36 million smart electricity meters have deployed since 2007 (reference 1). In Europe, both Italy and Sweden have each achieved complete smart-meter installations (references 2 and 3). Spain is actively deploying, while the rest of Europe and Asia are all on the verge of massive deployments (reference 4). Utilities in North America, Europe, and China are aggressively upgrading their DA (distribution-automation) infrastructure with smart-enabled devices including line sensors and distribution controllers enabled with communication. In a relatively poor global economy, smart-grid projects shine with bright success and infrastructure renewal. Success often makes us comfortable—even complacent—about the day-to-day operation of our systems. Looking forward to even more deployment, we tend to avoid hard, worrisome questions about the long-term effects of the movement. A particular thorny question for the evolving smart grid is security. Where? How much is enough? I know a former utility employee who recently asked me, "If we network all of the electricity meters and grid infrastructure, can someone write a computer virus and take down the entire grid?" My answer was, "Yes." To gain insight into these smart-grid security questions, consider two recent well-documented security breaches and a report of a security gap. These situations include a 2009 smart-meter hack in Puerto Rico, a 2012 password discovery in grid distribution equipment, and insecure storage of a private key in distribution automation equipment. For each of these attacks, secure silicon methods exist that, as part of a complete security strategy, can help thwart the attacks. Security risks on the rise Whether a computer virus can take down an entire electricity grid is entirely up for debate, and beyond the scope of this article. Furthermore, the security world abounds with threats and worst-case scenarios. As of now, most smart meter communication occurs in a query-and-respond manner. The data exchange is simple and with minimal control functionality. Critical switching on the distribution grid occurs over different networks, protected by high voltage. The grid is evolving, however, right in front of us. In fact, the widespread deployment of the smart grid is increasing the opportunities for hardware and cyber attack. As with all communication networks, connectivity enables functions and applications that consume more bandwidth. Connectivity makes access to the system functionality simpler. The drive toward using IP (Internet protocol) to achieve interoperability will create robust networks that operate at low cost, but ones that are just as vulnerable to attack as in the Internet. As with corporate data, now critical grid functions, such as switching, remote disconnect and volt/VAR optimization, will migrate to these networks. Wonderful technical advances for the grid, yes, but along with them come new vulnerabilities. With smart meters and grid distribution communication becoming more pervasive, we must anticipate critical threats. We must also assess the security breaches that have already occurred in the smart grid. What can we learn from them? What protections can equipment suppliers and grid operators proactively design into smart grids to thwart those attacks and others to come? Securing manufacturing In 2009 employees at an electricity-meter manufacturer in Puerto Rico hacked smart meters by accessing the meters through their optical ports. The U.S. FBI reported that the meter manufacturer's employees and utility employees were both altering meters and training others to alter meters; their payoff was $300 to $1000 in cash per meter. U.S. federal authorities estimate that the Puerto Rican utility losses could amount to $400 million and that future attacks are likely (reference 5). Although the exact security mechanisms, or lack thereof, at the manufacturing site are unclear, one fact is undeniable: manufacturing employees could gain access to a meter. Most companies use third-party manufacturers for some or all of their product manufacturing. While wealthier, established companies put tight controls on these manufacturers, smaller equipment makers often do not, or cannot, closely control their supply chain. As a result, their products are at higher risk of a security breach. Strong authentication protocols are one highly effective method for avoiding the type of attack witnessed in Puerto Rico. In authentication, two communicating parties verify their identity and, thus, trust their communication. Individual passwords serve as the most basic forms of authentication. Any communication from an unauthenticated party, such as a hacker, is ignored. But what happens when a perpetrator uses a discovered password to gain system access? A typical password-protected static system uses the same password every time. A dynamic system, in contrast, achieves higher levels of authentication. As described by Jones, here the host generates a random number as a security challenge whenever a party requests access (reference 6). The requestor must then respond with an answer generated from that random number, the message that it is trying to send, and a secret key. The host compares the response to its random number challenge with an internally generated response. The two responses must be equal, but every subsequent response will be different, because each is based on the random number generated by the host. The system's mathematics underlying this challenge and response are such that a party intercepting the response has virtually no possibility of decoding the secret key from that information. The dynamic nature of the system ensures that the communications are unique each time. The SHA-1, SHA-2, and SHA-256 algorithms are all excellent examples of this type of dynamic authentication. The most valuable information in the challenge-and-response authentication process is the secret key. Additional techniques to further strengthen the authentication process include generating secret keys on physically secure chips, such as the MAXQ1050, and generating keys in stages. These methods ensure that no single party retains access to all the building blocks of the keys. A combination of the integrated and staged key generation provides even better security. Single or multiple keys and asymmetric schemes In August of 2012, Justin Clarke reported a security flaw in the operating system of RuggedCom's ROS (Rugged Operating System). RuggedCom products provide ruggedized network timing and communications infrastructure for electricity transmission and distribution, as well as other industrial applications. Clarke's report asserted that an attacker could use a single key to penetrate the inner workings of the ROS (reference 7). Once inside, the attacker could easily view communication traffic without additional security barriers. Furthermore, an attacker could obtain a key from any piece of RuggedCom equipment and use it to access any other piece of their equipment. The issue at hand relates to a single secret key. Systems employing a symmetric encryption algorithm will use a single private key for encryption and decryption of data. Any device with the private key may join the network, similar to a conference call in which participants use the same code to enter the discussion. Because of their sheer volume, smart-grid devices, and smart meters specifically, create a challenge with symmetric encryption schemes. The millions of smart meters and pieces of distribution automation equipment installed on the grid mean that the holder of that single secret key can potentially access each piece of equipment. The security threat is obvious. Shutting off power and causing massive outages in areas of critical infrastructure or high population represents the worst potential outcome. Furthermore, this is a minimal effort attack with potentially dire consequences. An asymmetric certificate-based security scheme blocks this type of attack. Asymmetric schemes consist of a public/private key combination for each end device. Each key works to mathematically encode or decode a message. All network devices know each other's public key and may use it to encode a message directed to a specific device. That specific device then uses its private key to decode the message. Secure ICs generate private keys completely on chip, store them in secure memory, and never reveal them. Managing entities, such as utilities, then also give each device a certificate that establishes a chain of trust within a network. In this way the meter becomes associated with an access point, which authorizes the meter and allows it to join the network. Each certificate should be unique, based on an individual identification number or other unique identifying characteristic. This scheme, therefore, provides the benefit of asymmetric encryption, never revealing either private keys for the many devices on the grid or network or the individual identification of each device. Protecting keys On September 19, 2012, the ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) reported another security gap in distribution automation equipment (reference 8). In this incident the private key, used for signing certificates, was insecurely stored on a PLC (programmable logic controller). The private key was the certificate authority's private key, so any device obtaining the private key could certify itself as a valid device in the network. The attacker could then execute a man in the middle attack in which the attacker intercepts communications, certifies itself as a valid system device, and proceeds to gain network access. Initial resolution of the issue required uninstalling certificate authority signing keys and manually confirming the identity of each device on the network. This resolution method works in a smaller network, but it would require a massive expense and effort for a multimillion-device network. Key management is the most difficult aspect of security because key access means key exposure, to systems or people. Exposing keys greatly increases risk of theft. The first line of defense in protecting keys is, therefore, to generate them once, in a physically secure IC, and never let them off the chip. A device on the smart grid can effectively use keys stored in such a way and never reveal them. In addition to on-board key generation, encryption, and software security, there is also the matter of physical device security, which provides many effective techniques for securing keys. When tamper-detection pins on secure ICs sense interruptions of specific signals between pins electronically connected to equipment access points, the IC reports a physical tamper event. Systems respond to tamper events as programmed. Actions range from logging the event to erasing secret keys, hence rendering the system inoperable, which is common in financial terminals, but generally not acceptable in smart grid. Protective meshes and temperature monitoring are other mechanisms for detecting efforts to decap a secure silicon device to retrieve secure keys. Meshes physically protect the top of a secure device from a probing attack. Temperature sensors detect events such as pouring of liquid nitrogen on a device to force the retrieval of a key from memory. Secure memory design also includes mechanisms for eliminating retention and imprinting of key data because of material stress over time. Overall, storing keys in a secure IC instead of the general-purpose RAM of a connected device like a PLC provides the ultimate level of security for those keys. Cyber attacks on the rise The real scenarios in this article represent the tip of the proverbial iceberg. In July of 2012, the top U.S. military official responsible for defense against cyber attacks, General Keith B. Alexander, reported a 17-fold increase in cyber attacks against American infrastructure from 2009 to 2011 (reference 9). GlobalData reported in September of 2012 that the cyber security market in China will increase from $1.8 billion in 2011 to $50 billion in 2020 (reference 10). The smart grid is an undeniable trend. Countries and utilities are working to establish better control over their electricity resources, shave peak demand, operate more efficiently, and accommodate massive amounts of distributed resources. The smart grid also becomes the major litmus test for future Internet networking of things, a proving ground for a network of millions of smart meters. Knowing all this, equipment and meter manufacturers must consider security as a critical, system-level requirement when developing smart-grid devices. There is no doubt that multilayered, life-cycle hardware and software security are the best means for keeping smart grids operational. Maxim Integrated References: 1. Institute for Electric Efficiency, Utility-Scale Smart Meter Deployments, Plans, & Proposals, IEE Report, The Edison Foundation, May 2012. 2. Tweed, Katherine, Smart Grid Italy: What to Watch, GreenTechGrid, 10 Aug 2011. 3. Sweden at forefront of demand response in Europe, eMeter, 17 Aug 2010. 4. Iberdrola to deploy an additional one million smart meters in Spain, Telecom Engine, 20 Mar 2012. 5. Krebs, Brian, FBI: Smart Meter Hacks Likely to Spread, Krebs on Security. 6. Jones, Scott, Protecting R&D Investment with Secure Authentication, Maxim Integrated tutorial 3675, 19 Oct 2012. 7. Siemens software which control power plants vulnerable to hackers, Homeland Security News Wire, 27 Aug 2012. 8. Siemens S7-1200 insecure storage of https CA certificate, Advisory ICSA-12-263-0, ICS-CERT, 19 Sep 2012. 9. Sanger, David E and Eric Schmitt, Rise Is Seen in Cyberattacks Targeting U.S. Infrastructure, New York Times, 26 Jul 2012. 10. China's Cyber-Attack Fears to Spark Massive Defense Spending, GlobalData, 19 Sep 2012.