Global Sources
EE Times-India
Stay in touch with EE Times India
 
EE Times-India > Networks
 
 
Networks  

How to secure the smart grid and SCADA

Posted: 02 Aug 2013     Print Version  Bookmark and Share

Keywords:Automatic meter reading  AMI  RF  Remote metering  smart grid 

We usually read articles about stolen Social Security Numbers, stolen credit-card information, data theft and other security breaches in a wide variety of businesses and organisations. The energy sector is not immune to these risks. With the increasing implementation of smart-grid technologies and the use of networked devices therein, the energy sector becomes an ever more viable and attractive target. This article identifies areas of the smart grid that demand extra care when it comes to security measures and why these particular areas are vulnerable today.

Although the smart grid is much more than just remote meter reading, we want to start this paper with a security example that exists today and is that implemented on a large scale. Automatic meter reading (AMR) and the build-up towards advanced metering infrastructure (AMI) has already been deployed in the United States and forms an interesting beginning for the security discussion.

Remote metering makes it easier and more efficient for energy providers to bill their customers. Timely read-outs of the meter, such as once a day, allows for accurate and up-to-date information on customer usage patterns, which in turn allows for energy companies to optimise their energy generation process. The meters themselves are equipped with a transmitter/receiver capability, which either can be read remotely from a handheld device or over the air over long distances using RF technologies.

Initial observations of existing smart meters
Some of the issues we found during the inspection of such a widely deployed meter include, but are not limited to:
 • No encryption of the data sent or received by the meter
 • No authentication procedure between meter and local / remote reader
 • Potential to read and write (modify) the program code stored in the meter electronics

Meters that do implement some level of authentication and password protection have serious flaws in their implementation. For example, a metering protocol such as IEC60870-5-102 (which is luckily not widely adapted, but serves fine as an example) have functions to read data from the meter that do not require authentication and another set of functions such as for example the disconnect that needs a password. One particular meter we reviewed allowed one to retrieve said password using the unprotected read function, making the authentication for the disconnect function pointless. Other such findings have been previously published by security researchers, such as in C4 Security's article "The Dark Side of the Smart Grid—Smart Meters (in)Security."1 Another example that presented a highly publicized smart-meter hack is described by Mike Davis in "SmartGrid Device Security, Adventures in a New Medium."2

While one might assume that the data contained on and transmitted from a simple device such as this is non-sensitive, this is definitely not the case. Usage patterns obtained from the device provide valuable information which can indicate when someone is physically present and therefore can be utilised to determine the time frames when the location is unoccupied. This information can be easily gathered and used to plan a break-in. If suddenly usage patterns decrease, this can be an indication that the occupants are on holiday. All this information can be easily gathered without having to have a physical presence near the target house to monitor for such patterns, by deploying an electronic data logger somewhere in the neighbourhood. Indeed, it becomes easy to monitor multiple targets at once.

Furthermore, many of these meters contain a remote 'disable' feature, which can be used to remotely disconnect the supply of electricity, for example because the end user did not pay the bill. Since the meter does not have adequate security measures in place, it is straight forward to exploit this feature for example to turn off the electricity (and possibly security systems) to a house, perhaps for vandalism, or because it is targeted for robbery.

Since the on-board meter electronics are not well protected due to an easily bypassed tamper protection, the code running on the meter could be downloaded. This means that an attacker can study the code to develop a deep understanding of its operations, and look for potential security issues. Additionally, since these devices have few resources and are design for low power consumption, features such as a proper random number generator, cryptographic accelerators, and other features we've come to expect are often missing and can compromise security. Even without physical compromising the meter, side channel attacks and others are possible. One particular example we found is where a communications module is used and whereby the security key has to be transmitted over a physical bus from the main processor to the communications module, allowing it to be easily intercepted. This has also been demonstrated in Travis Goodspeed's article.3

More than meters
Of course, the smart grid is much more than just metering. Figure 1 shows the different levels from a high level, all of which need special care when it comes to security. We'll discuss these other domains in the next section.

Figure 1: The smart grid. (Click on image to enlarge.)

Security
Security is one of those areas that very often gets ignored because it's seen as an overhead expense, not as something that adds value and can be charged for. It also slows the development process: it's not something that can be added on at a later time, it has to be part of the overall design. Security should be a focal point, but currently it's not due to cost and time-to-market pressure. Security must be a planned up front investment.

1 • 2 • 3 Next Page Last Page



Comment on "How to secure the smart grid and SCA..."
Comments:  
*  You can enter [0] more charecters.
*Verify code:
 
 
Webinars

Seminars

Visit Asia Webinars to learn about the latest in technology and get practical design tips.

 

Go to top             Connect on Facebook      Follow us on Twitter      Follow us on Orkut

 
Back to Top