Why the Rush to Embrace Technology Always Makes Security Harder
What is a Smart Grid?
The electric grid is almost like a living organism. Electricity flows through the grid as controllers work to keep things working properly — bringing power plants online, estimating load, balancing the peaks and valleys of demand, and so on.
You can think of today's existing grid as a "broadcast" system intended to get electricity from central power plants to the houses and businesses where it is needed. The idea behind smart grid is to do a much better job routing power so that it is available where it is needed when it is needed with much more efficient transmission (think superconducting wires, better substation routing, better load estimation, and so on).
Half the battle here is removing information latency from the consumption data stream. Knowing how much power the endpoints consumed last month, yesterday, or even eight hours ago is not fast enough. The smart grid requires faster propagation of data from the consumer end, and much quicker reaction time from the production and transmission end. That means a different sort of communication feedback loop is required.
What is a Smart Meter?
Part of the solution to the information latency problem is to build smart meters designed to measure power consumption and communicate those measurements back to "central services" quickly. Propagation of the data may happen over a separate information network (perhaps the Internet) and, in fact, different smart meter designs use different data networks, but the convergence of data and power transmission into one set of lines proceeds apace.
In 2008 Europe already had over 39 million smart meters installed (with Italy leading the charge). Some of these already-installed smart meters have advanced capabilities that go well beyond measuring exactly when electricity is consumed. They can also turn power on and off, ferret out unauthorized use, detect outages, and determine billing parameters. (If you put on your black hat and start thinking like a bad guy, you can see that this could get fun fast.)
Figure 1: A typical smart meter.
Obviously, the key challenge for smart meters is to get information regarding power consumption back to central services in a secure and reliable manner. There are many ways to transmit these data, but there is a clear trend toward the use of the TCP/IP standard (familiar to Internet geeks everywhere).
Data transmission turns out to be a hard problem from a reliability perspective (think of all of the disparate conditions and distinct locations where these meters need to perform, not to mention network outage, latency, and so on); but the real kicker is security. As usual, it appears that security is playing second fiddle to functionality in the rush to adopt technology. So, who would attack the power grid, and what would they do?
Smart Meters and Dumb Security
Believe it or not, software security has a huge impact on smart meters. For the sake of simplicity, think of a smart meter as a little computer hung on the outside of your house that is connected to both the power grid and a communications network. The question is, what is the state of security supported by the software in the meter? Is it riddled with vulnerabilities? Or was it built to withstand malicious adversaries? What happens when smart grid software is attacked?
There's bad news, of course. Some smart meter software appears to be riddled with software vulnerabilities. In July 2009, Mike Davis, a computer consultant from IOActive, gave a talk at Blackhat entitled Recoverable Advanced Metering Infrastructure in which he clearly described very serious security problems with smart meters. Davis and company procured some smart meters from eBay and proceeded to reverse the software and discover a number of vanilla software security problems and vulnerabilities. Building on a buffer overflow attack, Davis created a rootkit and a worm to propagate the rootkit between meters, revealing a scenario in which a botnet of compromised meters could be created.
It gets worse. Not only was the (broken) software susceptible to Davis' attack, but in some cases the data transmission and software update features in the smart meters were not properly protected with simple security mechanisms such as cryptography and authentication. We all know by now that software security is not a thing and that paying attention to the way the entire system is put together is critical, but no crypto?!
What all this technical risk really means in the end is not pretty. If you can root a smart meter through a buffer overflow exploit and built a botnet of compromised meters, the power grid itself is in trouble. Given the ability to turn compromised meters on and off all at once through a botnet controller, even a simple attack involving 50,000 meters could cause a 30 megawatt stability problem. That is the kind of problem that can bring the entire system down in a cascading failure. This is completely unsettling. And it's real.
In March, I gave a keynote talk to hundreds of executives who operate rural electric cooperatives throughout the country as part of the NRECA annual conference. Worry about the scenario above was palpable in the room as I described the attack. This is something that can actually happen.
Cyberwar, Terrorism, and Critical Infrastructure
The New York Times, in a story by John Markoff, describes a peculiar situation in which a Chinese academic paper about reliability and power grids is setting off alarm bells in the US government. According to Markoff, the academic paper was presented during a House Foreign Affairs Committee hearing as "describing how to attack the US power grid." Clearly, things are already on edge when it comes to cyber attacks and the critical infrastructure.
The problem is that our critical infrastructure really is at risk, and our foray into more advanced technology for the grid appears to be moving things in the wrong direction. There is a decent answer to addressing cyber risks in the power grid, but it is complex. The companies who purchase smart grid technology need to ask their suppliers for some evidence that their products are properly secure. The suppliers themselves (think Siemens) need to practice reasonable software security as described in the BSIMM.
This is an issue that major banks have already been addressing as "supply chain" software security. It's high time the embedded systems manufacturers and power grid operators did the same thing.