Security in the smart grid. This topic is getting a lot of attention from governments, utilities, and even consumers. The attention is warranted. Besides air, water, food, and shelter, electricity has become one of mankinds most fundamental necessities. The reliable flow of electricity is certainly crucial to life in the industrialized world, and is a key factor in facilitating the development of emerging countries.
The prevalent discussion on security in the smart grid tends to focus on cyber security, in this case the ability of embedded devices to join networks and transact data over networks in an authenticated way. While this is a critical step in securing the supply of power to the world in a smart grid environment, this approach is too narrow. It ignores the threats to the smart grid from throughout the life cycle and supply chain of smart grid equipment.
In this article we will explore some threats to the smart grid that are ever present in the supply chain of a smart meter. We will explain why those threats must be considered and remedied to ensure the cyber security of the grid. Finally, we will assess the technologies available to combat these threats.
Why threaten the grid?
Why would anyone want to attack a smart meter? The answers vary.
In perhaps the most simple scenario, attackers might want to lower their own electricity bills. This objective is selfishattackers want to change the behavior of their smart meter to protect their own interests. In some cases, it could be organized criminal activity that wants to hide true consumption data (a common case is drug laboratories trying to disguise their consumption).
But what about attackers who deal at a more ideological level? It is no secret that many countries must handle the threat of terrorist attacks, perhaps even daily. While threats like bombs or airplane attacks are certainly scary, attacks against the electrical delivery grid could, in fact, be far more effective at disrupting the quality of life for a large number of people. An attacker who takes control of a few million meters could launch a very substantial public assault by disrupting the flow of electricity to a huge population.
Physical threats during the smart meters life cycle
The nearby illustration shows at a conceptual level the various stages in the life cycle of a smart meter. For simplicity, this model has been limited to four steps: the procurement of silicon, the manufacturing of the smart meter, the deployment of the smart meter, and the smart meter in mission mode. This simple model lets us create a threat analysis. For each stage (including the transition or shipment between stages) we ask ourselves, what are the ways that an attacker might try to take control of a smart metering network?
1. Replace legitimate ICs with fakes
Transit between a silicon manufacturer and equipment manufacturers presents an excellent opportunity for attackers to inject problems into the smart meter supply chain. Microcontrollers are the juiciest targets for attackers. In normal supply-chain models, a silicon manufacturer will ship a flash-based microcontroller to a manufacturing house, whether a contract manufacturer (CM) or the end customer. At the manufacturing site, the smart meter firmware is loaded into the microcontroller. Some system-level configuration occurs before the meter manufacturing is complete and a smart meter is boxed. This is how the process is supposed to proceed.
Now imagine a sophisticated attacker who designs and manufactures a microcontroller that looks and acts very much like a genuine metering system on a chip (SoC). There are multiple scenarios possible now. This IC could be altered to allow a cyber terrorist to assume control of a meter remotely over a network connection. Or, the fake SoC could be designed to dump its memory contents to any request, thereby divulging secret communications keys loaded during manufacturing. Or, the fake SoC could allow its software to be inspected by anyone, thereby threatening the IP of the legitimate meter manufacturer.
There are other less sophisticated attackers. A "fake IC " does not need to be manufactured. Imagine an authentic flash microcontroller being shipped to a CM. An attacker intercepts the shipment and loads a program in the flash that looks very much like the normal boot loader built into the system. When the IC arrives at the CM, the deception (i.e., the fake bootloader) might be difficult to detect. The CM then downloads the normal firmware, but the insecure bootloader has created a resident virus in the meter. Later this virus could cause the meter to function incorrectly and share secret encryption keys with an attacker.
Without appropriate protections, an attacker who fakes or tampers with an IC shipment can control the entire life cycle of a smart meter, opening up any imaginable problem on the smart grid.
2. Use social engineering to load bad software during manufacturing
Threats exist on the manufacturing floor as well, with the most tangible threat in the workforce running the manufacturing operations. Typically, these workers earn far lower wages than the engineering teams or managers. Imagine a poor economy where a $100 bribe will convince a manufacturing line worker to load special firmware into a batch of smart meters. In more wealthy nations, if $100 does not work perhaps $1,000 or $10,000 will?
If an attacker gains access to the manufacturing flow, they can potentially steal the binary code images intended to be loaded onto the smart meter. It would not be too difficult to take that image and alter the firmware to cause unintended behavior. For example, an attacker alters an interrupt vector so that it causes undesirable behavior in rare, carefully defined situations. The interrupt vector could be programmed to monitor a real-time clock, waiting until a specific time in the summer when it will open the meters disconnect relay and stall the processor to take the meter off the network. Under such an attack millions of meters might stop the flow of electricity to residential consumers. The economic costs would be staggering if the utility were forced to manually replace the smart meters. The cost in human life could be higher, considering the threats from a disruption of service during the heat of summer.
3. Steal software to clone a meter
Let's consider an attack based on economics and not terrorism. In normal manufacturing flows, the binary image loaded into a smart meter is readily available to the workers on the line. With a modest bribe (i.e., a social engineering expense) the attacker gains access to raw PCBs for reverse engineering. Now this attacker has the complete BOM with identified IC part numbers and the software needed to run the smart meter. This is everything needed to clone a meter. The attacker can sell the meter design without the R&D costs for that meter.
View all SMART GRID Bulletins click here
Enter your email-id to subscribe to theSMARTGRID Bulletins