By Meir Shargal and Doug Houseman

In North America there is a set of regulations from the North American Electric Reliability Council (NERC) called Critical Infrastructure Protection (CIP). While this set of regulations does not apply anywhere but the US and Canada, they point the way to what is good security for electric infrastructure. Please note there is still a discussion as to whether NERC CIP applies to smart metering directly even in North America.

NERC CIP offers a way to determine which systems need the most security to maintain the grid and protect customers from outages and companies from bad information. In 2003, a young Italian figured out how to “hack” into Enel’s metering system and change what the meter reported to Enel for settings in the meter. These changes to the meter reporting reduced the bills of those people who used it. This hack was posted on the internet and Enel made changes to their meters to prevent the hack from working in the future.

This is just one example of how a smart metering system can be hacked. One of the US national labs has been working to determine what the vulnerabilities are in the grid, and released a video recently of a cyber attack on a small diesel generator that resulted in the destruction of the generator. With disconnects and home area networks (HAN) being installed in meters and in customers’ homes, securing the meters and the networks that support them is getting to be more important. In 2000 there were very few meters anywhere that had the ability to impact devices that used electricity on the grid. By the end of 2008 there will be more than a million smart meters with disconnects or HAN installed in customer locations. This is just the tip of the iceberg and by the end of the year there will be more than 15 million meters on order for installation that contain these capabilities. Security will have to move from using obscure protocols to real planned security.

In North America a group of utilities have formed a working group AMI-SEC, under Utility AMI, which is responsible for determining security requirements for the member utilities. Together these utilities are responsible for more than 20% of the meters in the region (US, Canada and Mexico) and many are in the lead in installing meters. Some of the material in this article has been used in the Utility AMI and AMI-SEC meetings.

Schematic smart1

Figure 1 – Schematic of a modern smart metering system

Complexity
Smart meters have got complex, and they are no longer a measurement instrument attached to a display, with magnets and shunts the major ways to spoof the resulting measurements. Instead they are made up of many components that include electronics and computers with all the same vulnerabilities that any other electronics or computers would have (Figure 1).

Where there are multiple communication links there are multiple locations that have potential openings for hackers and others. This system is complex enough that the US National Institute for Standards and Technology (NIST) has developed two standards that deal with control systems that are being applied to smart metering, NIST 800-53 and NIST 800-82. This complexity has meant that at most utilities that are looking deeply into security it is the information technology (IT) security team that is brought into the security review. At some utilities there is a move to add outside security experts and even “white hat” hackers – people who work for corporations and only hack at the request of corporate customers.

The HAN opens the biggest issues for most utilities. HAN standards are readily available to the public and any one can read the standards. The ZigBee Smart Energy standard is over 5 centimetres thick. While it passes muster today, as a standard and as an implementation, the devices that are being deployed are expected to be in place for 20 years or longer. Most operating systems and most security measures have to be replaced in the computer world long before 20 years, with a more likely cycle of 3 to 5 years in the computer industry and 8 to 10 years in the industrial controller world. This 20-year window gives interested parties a long window to find holes in the security in the HAN and use it to exploit the HAN and possibly the smart metering system. Vendors are adding many of the same features to HAN devices that are being added to commercial networks connected to the internet, including firewalls and encryption, to minimise the damage that a hacker can do. They are also making it possible to upgrade the firmware in the devices remotely over the network. This is a two edged sword, as it means that the owner of the network can upgrade the devices remotely and introduce new features and new security, but hackers, if they can figure out how to get into the network, can install Trojans or other malware into the devices and take control of them.

Attack vectors
Malware is not the only attack vector to the smart meter, and there are many of them. The AMI-SEC threat model dated January 2008 developed the following list of attack vectors, most electronic in nature, but some purely physical. The list includes:

  • Brute force - Performing an exhaustive search of all possible values for a security credential or attribute (e.g. key, password or passphrase)
  • Bypass - Bypassing system security functions and mechanisms
  • Destruction - Causing the destruction of system data, business data or configuration information
  • Disclosure - Losing data confidentiality
  • Denial of service - Overloading the network and/or system resources
  • Hijack - Commandeering one side of an existing authenticated connection
  • Malware - Deploying malicious software developed for the purposes of doing harm to a computer system or network (e.g. viruses, Trojan horses, backdoors, etc)
  • Man in the middle - Inserting undetected between two connections, where the attacker can read, insert and modify messages at will
  • Physical - Causing physical damage to, or destruction of, an asset
  • Privilege escalation - Causing an unauthorised elevation of privilege
  • Replay – Creating an unauthorised replay of captured traffic.
  • Repudiate - Refuting an action or association with an action
  • Sniff - Performing unauthorised traffic analysis
  • Social engineering - Manipulating knowledgeable entities to gain privileged information or access
  • Spoof - Impersonating an authorised user or asset
  • Tamper - Modifying, in an unauthorised manner, system data, business data or configuration information.

This list offers a security professional a lot to think about. Each attack vector offers different impacts to the smart meter system and the range of damage that the hacker can do. In a physical attack the attacker has to get to each and every device they want to destroy and disable or destroy them. In a riot, it might be possible to get large numbers of people to destroy meters, but in normal circumstances physical attacks will be limited to small numbers of meters at a time by an attacker. On the other end of the scale is the installation of self-replicating malware that can take over or corrupt the whole system over time. Malware, as corporations have learned with personal computers, can take many hours to remove from all the corrupted machines. In the case of smart meters, the number of meters will typically exceed the number of PCs by two orders of magnitude and if the HAN is included it can easily be three orders of magnitude. A typical utility with 1 million customers typically has less than 10,000 PCs, but they would have 1 million meters and up to 30 million HAN devices in a fully mature installation. A paranoid person can easily come up with end of the world situations for most of the attack vectors. The good news is there are actually people working to close the holes that are in the smart metering systems based on the attack vectors.

Schematic smart2

Figure 2 – Smart meter system interfaces to the world

Interfaces
Not only is the smart metering system complex, but the interfaces to the rest of the world are also complex. Again the AMI-SEC working group has looked at the interfaces into the rest of the world (Figure 2).

In any system it is important to realise where the data gets into and out of the overall network of systems and who has access to the various pieces. Each piece needs the right security (physical, cyber, people, and process) around it to ensure that someone internal to the organisation or a legitimate user of the system does not hijack it for non-official reasons.

Conclusions
It is impossible in a short article to discuss all the issues, and this article does not even attempt to do so; rather it is an attempt to inform people that there is an issue with security that needs to be looked at.

The following steps to a secure smart metering system are recommended:

  • If you have not engaged your internal IT security organisation in reviewing your smart metering project, do so
  • Review the available documents and become familiar with them. They provide the best information that is available today
  • If your internal security team is not comfortable with doing the review of your smart metering system, then engage an organisation that is
  • If in doubt about how secure your system is, err on the side of caution – if you do not feel your software is secure enough to run a disconnect, make the first installation without the code to operate the disconnect. Do similar things with other features that may cause havoc in your network
  • Remember that hackers are constantly upgrading their attack arsenal – make sure you do not rest on your initial security decisions and monitor the situation and upgrade security as you see a reason to do so
  • Remember there is no perfect security – everything has flaws.

Keeping this list in mind will significantly reduce your chance of making headlines in newspapers and websites around the world.

Suggested standards and articles for further reading

Standards

  • NERC CIP 002 to 009
  • NIST Special Publication 800-27 – Engineering Principles for Information Technology Security
  • NIST Special Publication 800-53 – Recommended Security Controls for Federal Information Systems
  • NIST 800-57 Recommendation for Key Management
  • NIST 800-82 Guide to Industrial Control Systems (ICS) Security
  • IEC 17799 Information Security Management
  • IEC TS 62351 – Power Systems Management and Associated Information Exchange – Data and Communications Security
  • ISO/IEC 13335 – Information Technology — Security Techniques — Management of Information and Communications Technology Security  
  • ISO/IEC 21827 – Information Technology – Systems Security Engineering – Capability Maturity Model (SSE-CMM)
  • ITIL v3 (Governance) - Information Technology Infrastructure Library
  • IEEE 1471-2000 - Recommended Practice for Architectural Description of Software-Intensive Systems
  • ANSI/ISA–99.00.01–2007 – Security for Industrial Automation and Control Systems
  • ITU-T Recommendation X.805 – Security Architecture for Systems Providing End-to-End Communications
  • AMI-Sec Threat Model draft Jan 2008
  • Open HAN Standard v1.0
  • ANSI C12.22 Protocol Specification for Interfacing to Data Communications Networks
  • Security Audit
  • SysTrust (a CACI extension to SAS-70 and CACI-5670)
  • NERC CIP – Using the HP NERC CIP Audit Tool

Articles

  • J. Eisenhauer, P. Donnelly, M. Ellis, and M. O’Brien, “Roadmap to secure control systems in the energy sector,” Energetics of Columbia, MD, January 2006.
  • Government Accountability Office (GAO) Report to Congressional Requesters, “Critical Infrastructure Protection: Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibility,” GAO-05-434, May 2005.
  • G. N. Ericsson and A. Torkilseng, “Management of information security for an electric power utility – on security domains and use of ISO/IEC 17799 standard,” IEEE Transactions on Power Delivery, Vol. 20, No. 2, April 2005, pp. 683–690.
  • E. Goetz, “Cyber security of the electric power industry,” Institute for Security Technology Studies at Dartmouth College, December 2002.
  • L. A. Gordon, M. P. Loeb, W. Lucyshyn, and R. Richardson, “CSI/FBI computer crime and security survey,” Computer Security Institute, 2005.
  • J. Tang, R. Hovsapian, M. Sloderbeck, J. Langston, R. Meeker, P.G.McLaren, D. Becker, B. Richardson, M. Baca, J. Trent, Z. Hartley, R. Parks, and S. Smith, “The CAPS-SNL power system security testbed,” Proc. CRIS, Third International Conference on Critical Infrastructures, Alexandria, VA, September 2006.
  • C. L. DeMarco and Y. Braden, “Threats to electric power grid security through hacking of networked generation control,” Proc. CRIS, Third International Conference on Critical Infrastructures, Alexandria, VA, September 2006.
  • B. A. P. Moore, R. J. Ellison, and R. C. Linger, “Attack modeling for information security and survivability,” CMU/SEI-2001-TN-001, March 2001.
  • B. Schneier, “Attack trees: modeling security threats,” Dr. Dobb’s Journal, December 1999.
  • “Vulnerability assessment methodology for electric power infrastructure,” US Department of Energy, Office of Energy Assurance, September 30, 2002.
  • Government Accountability Office (GAO) Report to Congressional Requesters, “Information security: technologies to secure federal systems,” GAO-04-467, March 2004.
  • C. E. Landwehr, “Computer security,” Springer-Verlag, July 2001.
  • M. Amin, “North America’s electricity infrastructure: are we ready for more perfect storms?” IEEE Computer Society: Security & Privacy, 2003, pp. 19–25.
  • J. Jung, C.–C. Liu, M. Hong, M. Gallanti, and G. Tornielli, “Multiple hypotheses and their credibility in on-line fault diagnosis,” IEEE Transactions on Power Delivery, Vol. 16, No. 2, April 2001, pp. 225–230.
  • “Cybersecurity standards workshop,” user manual for the workshop, North American Electric Reliability Council, September 28-29, Minneapolis, MN.
  • NISCC Technical Note Series, as published by the NISCC Outreach Team.