How to Improve Smart Grid Endpoint Security

Abstract: Electricity meters and sensors are often dispersed in places far from the line of sight of the power company. This article discusses various techniques to improve the security of these smart grid endpoints. It considers both traditional physical and logical attacks as well as joint attacks that may penetrate the supply chain, which pose a serious threat to the power company's meter deployment. Security techniques to prevent these attacks have been successfully applied in the financial payment industry and can be reliably used to protect the smart grid.

As countries around the world race to deploy smart transmission systems, ensuring the security of these systems has become an important issue. Although there are few standards specifically for smart grid security protection, power companies have begun to make great efforts in the early stages of system deployment - equipping IT systems for data collection and analysis, using advanced communication technologies to transmit data, and using endpoints (such as smart meters) and grid health monitoring systems to generate raw data. Although security issues have become a widespread concern in recent years, there is still a lot of work to be done, especially in protecting "endpoints", such as meters and grid sensors. This article provides an overview of the threats faced by these endpoints and the security technologies to address them.

Figure 1. Smart grid model - utilities collect data from endpoints via a communications network.

Security Threats

There are undoubtedly many security risks facing smart grids, but they can be roughly divided into two categories. The first category is individual attacks, which means that the attacker's target is smart grid data to obtain their own interests - for example: stealing electricity bills, or concealing the production of banned drugs. The purpose of individual attacks is not to disrupt grid management, but simply to obtain the interests of a certain individual or group.

The second type of attack refers to activities that threaten society, including those that attempt to disrupt the operation of the power grid. This could be an attack on the power grid itself (misreporting energy consumption in a large area, causing financial strain on the entire power grid) or an attack on society (for example, terrorist attacks), causing the power grid to fail and users to lose power. When power outages occur, production and financial losses will be immeasurable, especially in extremely hot and cold climates, and will also pose a threat to human life and safety.

Weak links

Attackers typically look at the entire power grid and try to determine the best location to launch an attack in order to achieve the desired outcome with the least investment and the lowest risk. We can briefly examine a "power center-endpoint" model and consider how attackers in two situations can achieve their goals.

Individual threats: For example, a hacker who wants to reduce his electricity bill may break into the power company's control room and change its meter records to achieve his goal; he may also intercept data and intercept energy consumption information sent to the power company; or he may directly tamper with the meter firmware to reduce the power consumption record.

Social threats: Taking terrorists who want to disrupt the power supply chain of most users as an example, attackers may sneak into the power control room, remotely disconnect a large number of meters, or shut down the power supply of a substation. Attackers may also inject commands into the communication bus to perform similar actions; or control the meter to disconnect the relay directly from the remote end; or control the sensor to feedback wrong data to the power company, causing misjudgment and wrong operation of the power control center.

From the simple model, we can see the attack paths that exist. The above attack behaviors can be carried out in most links of the entire power grid (power company control room, communication network, and endpoints). Improving the overall security of the system will provide security protection for the three links, but in actual operation, we need to identify and locate the weakest link. This is exactly what the attackers do - find the easiest intrusion point (the weak link of the smart grid) to launch the attack.

Consider how an attacker might view the three main links at hand. Successfully hacking into a utility control room provides the greatest control over the grid, but carries the highest risk. The control room is by all means well-protected, with good access control and secure authentication processes. It is also difficult for an intruder to hide in the control room—even if security doesn’t catch the intruder, the surveillance cameras will record it. Of course, an insider could most effectively attack the entire grid from the utility control center, but since utility regulations strictly limit individual permissions, it is impossible for any one person to perform operations that threaten the operation of the grid, and such operations usually require multiple people to be present at the same time, which simplifies the risk of insider crimes.

Thus, the attacker's second option must be the communication link. To date, most discussions on smart grid security have focused on the communication link, and most system deployments have adopted strict encryption technology to protect the transmission of data and commands between smart grid endpoints and power centers. In order to successfully attack the communication channel, a security key or authentication key must be obtained. Since reliable communication protocols do not share keys, the attacker can only (1) obtain the key from the power company or the endpoint; or (2) perform a brute force attack on the encryption/authentication mechanism of the channel. Note that option 1 is not actually an attack on the channel itself, but on other components of the power grid. Brute force attacks (option 2) are also unlikely to produce results. Common encryption algorithms, such as AES-128, are computationally infeasible to attack with brute force, which means that super-fast computers would need to run for several years or even decades to obtain the key, which is much longer than the validity period of the data itself.

Attackers will then turn to the smart grid endpoints themselves: devices such as smart meters or sensors that monitor the health of the grid. These devices are more attractive because they are relatively poorly protected, widely dispersed outdoors, or installed on long transmission lines. We can also consider devices such as data concentrators, which are also often unprotected. These weak points provide opportunities for attackers to analyze and try different attack methods. Yes, these endpoints are powered and difficult to reach (such as on high transmission lines), making them potentially dangerous. But there are protections that attackers can take advantage of to avoid harming people. On the surface, endpoints such as meters are the easiest for attackers to succeed. But how do adversaries carry out attacks?

Attacking installed electricity meters

The following discussion applies to any endpoint on the smart grid that has communications capabilities, but for ease of discussion, we use smart meters as an example.

For individual attacks, the attacker will do whatever they can to hack the meter. This could be to change the current sensing mechanism so that it detects less power consumption, or to reverse engineer the meter software so that it reports less power consumption.

A social attack might start in a similar way: the attacker studies the meters and tries to understand how they work. The goal is to extract cryptographic keys, reverse engineer software protocols, and reconfigure the meters. If successful, the attacker could reconfigure a large number of meters to reduce their reported power consumption or to disconnect them all at a specified date and time.

How can smart grid endpoints be secured in the face of such threats? Available embedded security technologies (e.g., security processors widely used in financial transactions and government agencies) can provide good protection against attacks on individual meters. Such security technologies integrate methods to detect physical attacks (forced control) or embedded system, logical attacks (analysis of embedded system memory, applications, or protocols).

Embedded systems with physical attack detection mechanisms can detect system vulnerabilities. These products use physical sensors, such as switches that detect when the device housing is opened, motion sensors, and environmental sensors. Once an attack is detected, the meter can take appropriate measures, such as trying to contact the power center or even deleting the security key (deleting the key is better than leaking it to the attacker).

Some logic detection techniques can also be used to protect the meter from attacks, locking or encrypting the secure memory to make it difficult for attackers to read or reverse engineer the software. Secure loaders lock the device during the manufacturing process to ensure that attackers cannot load unauthorized software on the meter.

Secure deployment of electricity meters can also prevent social attacks to a certain extent. The meters use unique keys, so even if an attacker obtains the key of one meter, it will not affect the security of other meters. If it is very difficult to steal a single key (using the physical and logical protection measures mentioned above), it increases the difficulty for social threats to attack a large number of installed meters.

Attacking the supply chain

Some existing embedded security technologies can reduce the risk of societal attacks on electricity meters and smart grids. However, we must consider other attack vectors and ensure the security of the device throughout its lifecycle.

Whether outsourced or manufactured in-house, the production phase is very susceptible to theft (even if manufactured on-site!) and is also the most vulnerable to intellectual property theft. In this environment, development IP can be stolen for reverse engineering analysis or even to install new dangerous IP in the product.

A determined attacker could reverse engineer the meter software and install a virus that remotely disconnects, shuts down meter communications, and erases internal memory at a set date and time. The attacker could replace the IP during the manufacturing process. The consequences would be catastrophic—millions of meters deployed at once would all lose power at a set time. It would take weeks or months to repair or replace the meters, which would be very expensive.

Embedded security products can reduce risk with features such as secure bootloader, secure memory, and lifecycle management. A secure bootloader can load encrypted meter software, which the meter designer or software designer sends to the production line, and a secure bootloader in the system microcontroller can decrypt and store the application. Secure memory (internal or external) can also store encrypted application code, making the application content unreadable, reverse engineered, or copied. Lifecycle management features can be used to verify the actual supply chain. Silicon manufacturers can lock devices so that only a certain customer can unlock and install the code; meter OEMs can lock their meters so that only designated utilities can unlock and install them. With more supply chain security measures, the opportunity for social attacks through meters is reduced.

The solution?

It is difficult to find a perfect smart grid security solution, as such an implementation would be time-consuming and costly. However, by leveraging security technologies that are already commonly used in financial transactions and government agencies, it is possible to provide a higher level of physical and logical protection for embedded endpoints in the smart grid.

The attacks and countermeasures described here are not limited to the security vulnerabilities of the smart grid. When considering the threats faced by the smart grid, it is necessary to pay close attention to embedded endpoints such as electricity meters. Once the electricity meter and other endpoints are protected by multiple layers of security, attackers will have to find other ways to escape.