One year ago, the Stuxnet virus had just been discovered. A year’s worth of analysis still has not unlocked its secrets but it has had a profound influence upon the smart grid cyber security market. Utilities have — as many predicted — realized that their grids are no longer isolated or protected from attackers. According to a new report from Pike Research, utilities’ initiatives to secure their infrastructure will drive increasing investment in cyber security systems, which the cleantech market intelligence firm forecasts will total $14.0 billion during the period from 2011 through 2018.
A highly sophisticated software program is wreaking havoc on large industrial sites in Iran, Indonesia and other countries, targeting power plants, nuclear installations, pipelines and others. According to computer security experts, the Stuxnet worm propagates itself via Windows security holes (what a surprise). It looks for certain software programs made by Siemens, whose hardware and software are installed in systems used by many power companies (electric and nuclear plants). Iran has suffered disproportionately from these attacks, leading many to believe that the worm is a “government sponsored” piece of malware.
Security researchers at the Black Hat and Defcon cybersecurity conferences last week highlighted flaws in smart grid technology that could lead to system hacking or disruption of service.
One security firm, IOActive, has been advocating against propagation of smart grid meters until security flaws are corrected.
Mike Davis, a security researcher at IOActive, presented at the cybersecurity conferences about a potential hack that could infect smart meters and spread a worm program across the grid’s communication network, according to the Associated Press.
Davis’ company warned members of Congress and the department of Homeland Security in March that common security vulnerabilities in the grid could cause utilities to lose momentary system control of their smart meter devices, opening them up to potential fraud or widespread system interruption.
“If security is not addressed in the design and implementation of these emerging technologies, it may prove cost prohibitive to address them once the devices are fully deployed,” the company warned.
For a utility that’s in the process of installing smart meters, there are probably few things more terrifying than the simulation of a smart meter worm that IOActive’s Mike Davis showed off at the annual security conference Black Hat on Thursday. During Davis’ presentation, he showed how he and his team at the security consulting firm created a simulation in which over a period of 24 hours about 15,000 out of 22,000 homes had their smart meters taken over by a worm that could render the device under the control of the worm’s designers.
Davis showed off a time-condensed version of the simulation using an overlay on Google Earth. At the beginning of the simulation there were 22,000 green pins on the image of the satellite map to signify actual plotted address in a metropolitan area; after the introduction of the smart meter worm, the majority of the pins quickly turned a shade of red, rapidly spreading from the point where the worm was introduced. The image was reminiscent of the introduction of infectious diseases and Davis said in a real world scenario the rate of the spread of the worm could be slower or faster considering a variety of technical conditions.
Davis said the reason that the he could so easily hack and spread the worm in the simulation was because there was a fundamental design flaw in the specific meter model itself, though Davis wouldn’t name any individual manufacturers. Among other things, the meter he took over didn’t have the proper data encryption and didn’t know the difference between the meter next to it in the network or a device that was intended to wirelessly upgrade its software. “The guys that built this meter had a short term view of how it would work,” Davis said.
The manufacturer used in the simulation didn’t take kindly to being told their security wasn’t up to snuff. Davis explained to the audience how when he told the manufacturer about the capabilities of the worm simulation, the first response from the meter maker was: “that’s impossible, our meters can’t spread something like that.” When Davis told them he had personally done this in his company’s security lab, the next response from the meter maker was: “how can you even access our meters,” to which Davis says he explained he bought it on eBay.
New electricity meters being rolled out to millions of homes and businesses are riddled with security bugs that could bring down the power grid, according to a security researcher who plans to demonstrate several attacks at a security conference next month.
The so-called smart meters for the first time provide two-way communications between electricity users and the power plants that serve them. Prodded by billions of dollars from President Obama’s economic stimulus package, utilities in Seattle, Houston, Miami, and elsewhere are racing to install them as part of a plan to make the power grid more efficient. Their counterparts throughout Europe are also spending heavily on the new technology.
There’s just one problem: The newfangled meters needed to make the smart grid work are built on buggy software that’s easily hacked, said Mike Davis, a senior security consultant for IOActive. The vast majority of them use no encryption and ask for no authentication before carrying out sensitive functions such as running software updates and severing customers from the power grid. The vulnerabilities, he said, are ripe for abuse.
“We can switch off hundreds of thousands of homes potentially at the same time,” Davis, who has spent the past few months analyzing a half-dozen smart meters, told The Reg. “That starts providing problems that the power company may not be able to gracefully deal with.”
To prove his point, Davis and his IOActive colleagues designed a worm that self-propagates across a large number of one manufacturer’s smart meter. Once infected, the device is under the control of the malware developers in much the way infected PCs are under the spell of bot herders. Attackers can then send instructions that cause its software to turn power on or off and reveal power usage or sensitive system configuration settings.
The worm, which Davis will demonstrate next month at the Black Hat security conference in Las Vegas, is able to spread quickly. It exploits an automatic update feature in the meter that runs on peer-to-peer technology that doesn’t use code signing or other measures to make sure the update is authorized. It uses a routine known as interrupt hooking, which adds additional code to the device’s operating system.