Hacking the Smart Grid
technologyreview.comQuick correction: Mike Davis did a lot of fundamental research on the platform IOActive attacked for Black Hat in 2009, but my understanding is that Travis Goodspeed wrote the actual exploit code used in the demonstration.
I point this out not to diminish Davis' work, which I'm sure was great, but to illustrate the extent to which "smart grid" attacks are in vogue right now in vulnerability research. There were, I believe, at least 4 talks on it at Black Hat this year. Every software security consultancy in the country has done multiple projects targeting "smart grid" components in general and automated metering (AMI) in particular.
Smart grid components are interesting to me not because they're a vector for flashy (and horrific) real-world attacks, but because they demand a different strategy for mitigating attacks.
In conventional software, dev teams can rely on a "get it right and then patch what breaks" approach. While updating software is notoriously difficult, it is at least a plausible response to a serious security flaw.
When you deploy 100,000 smart meters running RTOS's on TI microcontrollers, this strategy doesn't work. Anything straightforward you do to make those meters feasible to update is going to blow up in your face. And this is an extremely unforgiving place to deploy security countermeasures; you face not only strict code-size limits on the meters themselves, but also RF protocols that need to squeeze every bit out of every message.
I think the winning strategy for the "smart grid" is, like Blu-Ray, renewability. Instead of trying to train 500 microcontroller realtime C devs in secure code and crypto protocols, people should sit down and devise mechanisms to recover from security flaws. Things as simple as protocol versioning, or the ability to shun/revoke specific devices, or the ability to fault to manual reads are like to make a bigger difference than whether the devices are using truncated SHA1 vs. SHA256.
This has been a point of discussion for at least half a decade. The article has nothing that hasn't been posted to HN before. My take on a the playing field: Smart grid stuff has a weird confluence of stuff going for it, which is bad for security, but not as bad as the doom-and-gloom-for-profit folks say it is.
* Very legacy systems are very much in play, and compatibility is a requirement -- replacement and modernization is extremely expensive and time consuming.
* Old school engineers who hang on to "the power grid is different, we need specialized, non-standard it systems" mentality. This is partially true, but to the point the make it.
* A general distrust of power grid engineers (including software) of anyone claiming that "evil hackers are everywhere". They don't understand certain software issues, like once an exploit is found it is essentially free to take advantage of, which is the exact opposite of may real-life security issues.
* Utilities that view security as a matter of procedural compliance with some set of rules.
These combine for a bleak picture, the tempering tho comes from:
* vendors and regulators (doe, nerc, ferc) are very concerned with security at all levels.
* researchers are starting to show how real, physical damage can be caused by cyber-security problems (not just hypothetical, but demonstrable, bottom line affecting issues).
* recognition by the more pragmatic older engineers that today's "kids" are maybe on to something using commodity communications and software instead of custom everything. This has inherent security benefits in many places.
All that being said, this is a giant field, and the "smart grid" is not one thing (in fact, if you have n people talking about it, (n-1)^2 definitions of smart grid will usually emerge) -- security for the grid is an exciting and interesting place to be.
It's going to be "custom-everything" for the foreseeable future, since the grid operators want (need) to deploy this stuff in a tower-and-mesh topology. Even if you managed to build a system out of "COTS" technology (say, GSM and IP multicast), you'd still be working with technology that gets virtually no ongoing scrutiny from software security teams.
Unfortunately, I think software security expertise is going to be relegated to nipping at the edges of this problem, which the vendors and grid operators appear to be delegating to the "national labs" like Sandia and Idaho.
Meshing is the only reasonable way to network the meters and related communications (collectively AMI), but at the substation level (for distribution and transmission networks) you can realistically start using cots. People like Schweitzer who are already entrenched may try to keep the custom everything model, but there are serious efforts to at the very least use a single standard stack. Big pushes for 61850 in the substation and a common wide area solution for utility-utility and utility-reginal coordinator communications are happening right now.
They may be somewhat custom, but they are more cots/standardized than previously. Further there are several FOAs right now that require a built-in security component. These FOAs fund next-gen technology development, so I am not sure how you see this as only an "edge problem".
The systems I've worked on are all COTS from the tower on back (but then, they're all custom apps back there too, so it's not like there's a lot of safety to be gained from being on an IP network).
But who cares what they're using at the tower? Breaking into the distribution layer is a vanity attack if you can wreak havoc with 100,000 meters.
People who see "security" as a "component" of a software/hardware solution typically don't actually "get it"; these are the people that just can't get their heads around the fact that attackers will rip meters off walls, crack them open, JTAG them up and use them as modems. It always sounds so self-aggrandizing to say this, but you have to do security pervasively, from design to implementation to testing, to make a dent in the problem.
I think we are speaking past each other. You are talking about the problems that arise from crappy meters. I don't deny this. Further, the security needs in those meters is high. I say this from a consumer protection and a grid protection point of view (as in part of a larger defense in depth framework). And, the meters should be as secure as possible from general principle too.
However, my point is that the doom-and-gloom type scenarios, of "OMG the meters are insecure, now they own the power grid" is not realistic. There are other systems on other networks that can isolate and/or shut down places that have misbehaving meters. This is a result of grid operators being very paranoid about malfunction -- and at the level you are talking about, this looks to the grid like a malfunction. There are billions of dollars of infrastructure to protect, and from that point of view, they have already made some good moves from security standpoint -- a coordinated effort on many levels is required to get the grid to a failure state.
Again, I agree that security must be part of the entire process, however there is the other, equally valid point, which says "at some point, there will be always cheaters, and as a result this must be dealt with in a cost/benefit context". In many ways it could be cheaper to go with a fairly insecure smart-meter and just look for evidence of tampering with statistical comparisons and the occasional man in the field to look for physical evidence of tampering. I think this is particularly notable, as there is no good way to prevent people from getting physical access (security kiss of death) to the meters anyway.
I don't think we're talking past each other. You and I appear to disagree about the value of a region-wide compromise of smart meters; you point out that at least the grid operator hasn't lost its distribution network when that happens, and I point out "so what? attackers are still randomly cutting off everyone's power!"
The big gap between where you are and where I'm at is that you're operating under the assumption that all the meters do is count stuff. No.