smart grid networks and security architecture: threat analysis, threat scenarios and vulnerabilities

Smart grid networks and security architecture:Threat analysis, threat scenarios and

vulnerabilities

John-Andre Bjørkhaug

Gjøvik University College

June 2014

Abstract

In 2003 there was a massive blackout in the North-east of theUnited States. This was because of errors in the control system of thepower grid. Because of this, the U.S. Department of Energy fundedsmart grid research, to build a more secure and safe power grid. Thereason for this is that with smart grids, it will be possible to have bet-ter monitoring and control of the power grid, in addition to bringingin new services like continuous monitoring of customers power usage,to make it possible for them to use high power equipment when thepower is cheap, easier to cut or choke power to customer if bills arenot paid, and so on. Even having different household equipment con-nected directly to the smart grid, for communication with the outsideworld would be possible, the Internet-of-Things. This must sound justso freaking awesome for utility companies and customer. It would bemuch easier to see what happens in the power grid, at the same time asit is much easier to control. An customers will save money! Win-winsituation for all! But all things come at a cost, what about security?One of the problems with smart grids, and control systems in general,is that in way to many cases, security is way to often not thought of.Security is often set to side, to make systems more user-friendly andmoney making. This brings us to the main task of this paper, threatsand vulnerabilities in smart grids and Internet-of-Things. This pa-per will first give and introduction to why it is important to think ofthreats to the smart grid and the Internet-of-Things, and give an ex-ample of a demo smart grid project done in Norway. Then there will

1

be a discussion on multiple books and papers, with relevant informa-tion on this subject. Both sources used in this paper, and also someother good references. The next section begins with a presentationof the model for threat analysis used in this paper, called STRIDE,an continues with a presentation and discussion of different threatsto the main parts of the smart grid. Then there is a section pre-senting some vulnerabilities, and how they can impact on the smartgrid and Internet-of-Things. The last section is a conclusion, giving asummary of the paper, and discussing the future of smart grids andInternet-of-Things.

1 Introduction

In 2003 there was a massive blackout in the power grid of North-east ofUSA. 50 million customers where without power for four days! This havebeen calculated to be a loss of approximately $6.000.000.000. This high-lighted the need for more effective, real-time control of the power grid, andled the U.S. Department of Energy (DOE) to fund smart grid research [17].The main purpose of the Smart grid is to continuously monitor and controlthe power grid, together with making it possible for the utility companies tocontinuously measure their customers power usage, choke or cut the powerif necessary, and be a possible communication channel for devices like forexample alarm systems and cooling and heating systems, the Internet-of-Things. All this is done possibly over a open channel like for example PLC(Power Line Communication), which in theory gives everyone connected tothe grid access to all the endpoints, both customers and those belonging tothe utility companies. Every security professional should get a bad stomachfeeling, when hearing about this. First off all, data about customers powerusage can be quite a bit of a challenge to ones privacy, and even confidential-ity. For example it can be possible to see if people are home, and if they areup in the middle of the night cooking food. Since the utility companies usethis data for invoicing, the customers can be very interested in changing thisdata so it seems like their power usage is lower than it really is, or change theusage so it seems higher for someone they don’t like. That is a real threatto the integrity of this system. And talking about the possibility to chokehow much power a customer can use, and even cut the power entirely to abuilding, that is a great challenge to availability! This paper only considerhuman made threats to the smart grid, nature made ones like falling treesand lighting are not taken in to consideration.

In the city of Steinkjer in Norway, there is an ongoing project, calledDemo Steinkjer, which is a full mini implementation of a smart grid and

2

Internet-of-Things, used for testing and demonstration. A comprehensiverisk analysis of this project was done by SINTEF and Telenor in 2012 [10]This have been a valuable source for this paper.

This paper will first start with section 1, the introduction you now arereading. Then in section 2, there will be a description of different sources usedfor this paper, and other relevant papers and books. This will be followedby section 3, presenting the model for threat analysis used in this paper, anddescribing different threat scenarios and threat analysis to the smart grid,and Internet-of-Things. Then in section 4, there will be a discussion aboutsome vulnerabilities. The paper will end with a conclusion, in section 5,giving a summary of the paper, and discussing the future of smart grids andInternet-of-Things.

2 Related works

One very good source, in Norwegian, when writing this paper have been thereport Risikovurdering av AMS (Risk evaluation AMI) and Security Threatsin Demo Steinkjer from 2012 by Line et.al. from NTNU and the Norwegianresearch organization SINTEF [11], which is the largest independent researchorganisation in Scandinavia. The Demo Steinkjer paper have sections thatare very general, and it have been the main source for information whendiscussing threats in this paper. This report is very superficial, but gives agood overview on threats and vulnerabilities in the Smart Grid. In additionthe book Smart Grid Security: An End-to-End View of Security in the NewElectrical Grid by Sorebo and Echols from 2011 [21], Security and Privacyin Smart Grids by Xiao from 2013 [23], Applied cyber security and the smartgrid: Implementing Security Controls into the Modern Power Infrastructureby Knapp and Samani from 2013 [8], and Securing the smart grid: Nextgeneration power grid security by Flick et. al. from 2010, contains a lot ofinformation about the security in Smart Grids, as their titles say.

3 Threat analysis and threat scenarios

The threats to the smart grid and Internet-of-Things, can be split in tomultiple areas, and this paper will focus on the following:

• Distribution System Operator (DSO), in other words, the central sys-tem of the smart grid

• Smart meters

3

• Communication lines

• Third party equipment (Internet-of-Things)

• Power grid itself

The main source for information in this section have been the paper SecurityThreats in Demo Steinkjer from 2012 by Line et.al. [10], but there is alsoused other sources, among them some mention in the previous section. Inaddition, much of the threat analysis and threat scenarios come from the au-thors experience as a telecommunication engineer, network engineer, securityadvisor and penetration tester.

Before discussing the different threats, model for threat analysis which isused in this paper need to be presented. This model is called STRIDE.

3.1 The STRIDE Threat model

According to Microsoft, when looking at threat scenarios, it is necessary toask different questions [12]:

• How can authentication data be changed by the attacker?

• What is the impact if an attacker can read the user profile data?

• What happens if access is denied to the user profile database?

To answer these questions, a model called STRIDE can be used [12]. Thename STRIDE is derived from the first letter of the six threats discussed:Spoofing, Tampering, Repudiation, Information disclosure, Denial of service,Elevation of privilege.

• SpoofingAccording to Bishop [2], spoofing is ”... an impersonation of one entityby another, a form of both deception and usurpation. It lures a victiminto believing that the entity with which it is communicating is a dif-ferent entity. For example, if a user tries to log into a computer acrossthe Internet but instead reaches another computer that claims to be thedesired one, the user has been spoofed. Similarly, if a user tries to reada file, but an attacker has arranged for the user to be given a differentfile, another spoof has taken place. This may be a passive attack (inwhich the user does not attempt to authenticate the recipient, but merelyaccesses it), but it is usually an active attack (in which the masqueraderissues responses to mislead the user about its identity).” ARP spoofingand DNS spoofing in very common on computer networks. Integritymechanisms counter this threat.

4

• TamperingAccording to Swiderski et.al. [22], tampering is ”the modification ofdata within the system to achieve a malicious goal.” Tampering at-tacks the integrity of data, which is very important in smart grids, orAdvanced Metering Infrastructure, since correct billing is one of themain points with this technology.

• Repudiation of originAccording to Bishop [2] repudiation of origin is ”...a false denial that anentity sent (or created) something, is a form of deception. For example,suppose a customer sends a letter to a vendor agreeing to pay a largeamount of money for a product. The vendor ships the product and thendemands payment. The customer denies having ordered the productand by law is therefore entitled to keep the unsolicited shipment withoutpayment. The customer has repudiated the origin of the letter. If thevendor cannot prove that the letter came from the customer, the attacksucceeds.” Integrity mechanisms counter this threat.

• Information disclosureAccording to Swiderski et.al. [22] information disclosure is ”the expo-sure of protected data to a user that is not otherwise allowed access tothat data.” Confidentiality mechanisms counter this threat.

• Denial of serviceAccording to Bishop [2], Denial of services is ... a long-term inhibitionof service, is a form of usurpation, although it is often used with othermechanisms to deceive. The attacker prevents a server from providinga service. The denial may occur at the source (by preventing the serverfrom obtaining the resources needed to perform its function), at thedestination (by blocking the communications from the server), or alongthe intermediate path (by discarding messages from either the client orthe server, or both).” Availability mechanisms counter this threat.

• Elevation of privilegeAccording to Swiderski et.al. [22] elevation of privilege is ”...when anadversary uses illegitimate means to assume a trust level with differentprivileges than he currently has.”

3.2 Distribution System Operator

The Distribution System Operator, or DSO, is the part of the smart grid thatis placed at the utility company. This is the central system, and contains all

5

the juicy stuff for attackers; databases, SCADA and so on. If an attackeris able to compromise this, and have full access, the entire CIA triad isgone. Confidentiality, the attacker have access to all the information on allcustomers. Integrity, the attacker can change all the information he wants,most likely billing information. Availability, the attacker can control thepower grid, switching customers power off and on, and even choke it. TheDSO can be possible to attack through the meters, as will be discussed inthe section below, but also directly through system not directly connectedto the smart grid, depending on how networks are segmented. Let’s discussone example. The utility company have a web application on the Internetwhere customers can visit, and see their power usage. This web applicationgets it’s information from a database which in turn gets it’s informationfrom meter readings, through some other systems. If an adversary is able tocompromise the database server with for example an SQL-injection attackon the web application, there is possibilities that he will be able to accessthe infrastructure acquiring data from and controlling the smart grid. Thisall depends on how the system is hardened and segmented.

• SpoofingAn adversary can be able to spoof an identify, to be able to connectto services running at the DSO, like for example web applications. Inone way or another spoofing the identity of a customer will give accessto personal data, spoofing identity of a system administrator can inthe worst case give access to monitor and/or control parts of the smartgrid. The important security measure for preventing spoofing:

– Good authentication mechanism

– Network segmentation

• TamperingIf it is possible to compromise the the DSO, either by exploiting vul-nerabilities in for example web applications, or through spoofing ofidentity, or escalation of privileges, it can be possible for an adversaryto either tamper with meter readings for financial gain to himself, orloss for others. If can also be possible to tamper with the grid itself,making it behave like the adversary wishes. The important securitymeasure for preventing tampering is:

– A secure communication infrastructure and protocols

– Quality of software


6

• Repudiation of originWhen talking about repudiation of origin, accounting is the thing. Allactions done by administrators of the smart grid should be logged,making it possible to go back and see who has done what when. Itshould not be possible to do changes to the system, without usingapproved software with accounting. The important security measurefor repudiation of origin is:

– Good accounting system

– Strong integrity control

• Information disclosureMuch like what is already discussed under spoofing, but also if it ispossible to compromise the DSO with for example exploiting vulner-abilities in a web application, it can be possible for an adversary toget access to all sort of information, everything from personal data tosoftware and configuration settings. The important security measurefor information disclosure is:



– Strong encryption


• Denial of serviceIf it is possible to spoof or elevate privilege to system administrators,or compromise the system with exploiting an vulnerability, it can bepossible to get access to the control mechanisms of the smart grid. Thiscan in the worst case give an adversary the possibility to control thegrid as he wishes, where he simply can cut the power to whoever hewishes. That must qualify as a rather good DoS attack. Also, sincea lot of services available to the Internet is running in the DSO, aDistributed Denial of Service (DDoS) through for example a botnet.





– DDoS protection

7

• Elevation of privilegeElevation of privilege will be much like spoofing the identity of ansystem administrator in for example web applications, it can in theworst case give access to monitor and/or control parts of the smartgrid.

– Quality of the software on both meters and the systems in theDSO

– Strong passwords

– Access lists


3.3 Meters

The smart meters are the devices that are placed in every customer locations.There exists both master and slave meters, where the masters communicatewith the DSO directly, and the slave meters communicate with DSO througha master meter.

First, master meters communicate directly with the DSO. The traf-fic that goes over this communication is information needed to create andmaintain the communication, readings and events from the meter, controlmessages, software updates, configuration changes, reading requests, crypto-graphic key update, price information, break/choke commands and so on.

• SpoofingTwo things, the ID of the DSO and the ID of the meter. Spoofingthe ID of the DSO will make the meter believe it communicates withthe DSO, and by then possibly making it possible to do all the thingsmentioned above, including circuit breaking (availability) and access topersonal data (confidentiality). Changing the ID of the meter, causesthe possibility to report meter readings for others. The importantsecurity measure for preventing spoofing:


• TamperingIf an adversary is able to tamper with the data from the meter to theDSO, he can be able to modify or insert new messages, which can re-sult in ”...errors in meter reading reports, wrong configuration settings,unauthorized changes of software, or erroneous or missing alarms.”

8

[10] In addition, it can make it possible to attack for example the DSOthrough exploitation. The important security measure for preventingtampering is:


– Strong integrity protection


• Repudiation of originRepudiation of origin is very important when considering the securityof smart meters, since billing and response to control messages are theirmain tasks. If there is no way of proving that a meter have receiveda message, for example a request for reading, circuit break, softwareupdate, an adversary can deny of blocking this messages to the meter,and by that blocking a response from the meter. An adversary cansend malicious traffic from a meter to the DSO, with the purpose ofattacking the DSO. The malicious traffic can be for example erroneousalarms, fake meter reports, or exploit code. With no way of provingwhere traffic is sent from, it is difficult or impossible to find the cause ofthe problem, and if someone should be held responsible. The importantsecurity measure for preventing repudiation of origin is:

– Strong integrity control of messages (cryptographic hash)

– The ability to check if a message have been received (acknowledge)

• Information disclosureWhen it comes to information disclosure in the context of meters, thereis basically two threats to look at. First, eavesdropping on the traf-fic between a meter and the DSO. The data sent between these arediscussed earlier, personal data like meter readings and possible confi-dential data like software updates and configuration settings. Seconds,a compromised meter it self can disclose configuration settings, encryp-tion keys, software and so on, which can be used for attacking othermeters or the DSO itself. This point is more relevant in later threatdiscussion, when it come to malicious remote or local access to meters.The important security measure for information disclosure is:




9

• Denial of service The most important threat here is performing a DoSattack on the DSO from the smart meters. If multiple smart meters arecompromised, acting like a smart meter botnet, a DDoS attack againstthe DSO can be possible. This will work like a regular botnet knownfrom the computer world, by having a very large number of smartmeters sending data to the DSO at the same time, rendering the DSOunavailable for legitimate use. Also, vulnerabilities in the DSO canbe exploited, leaving services there unavailable, and therefore denyingmeters from communication with it. Another DoS attack would beagainst the meters. If changing configuration or encryption keys onsmart meters, they would not be able to communicate with the DSO.The communication channel between the smart meters and the DSOcan also be attacked, leaving the communication unavailable. Thiscan be done it multiple ways. If cell phone communication is used, ajammer would destroy the possibility for the meters to communicatewith the DSO If the communication uses another shared medium, likefor example the power lines for communication, PLC, this can also bejammed with special equipment, that probably are rather easy to build.Just introduce some simple noise on to the power grid. The importantsecurity measure for denial of service is:



– A secure communication channel, with jamming protection

– High capacity on communication channel and DSO

– DDoS protection

– Integrity check of configuration

• Elevation of privilege In the meter to DSO communication, both partscan be interesting to compromise for an adversary. First, if it is possibleto exploit a vulnerability, or in one way of another get malware in tothe DSO, and adversary can, in the worst case scenario, get access tocontrolling the DSO with full system privileges, with at least the samerights as the administrators of the system. If the an adversary managesto compromise a meter with for example exploiting a vulnerability,all data held on the meter are disclosed. This is information that isalready mentioned, for example personal data like meter reading, butalso software, configuration settings, encryption keys and so on. Theimportant security measure for elevation of privilege is:

10



– Access lists

For locations with multiple meters, slave meters can be used. Thesecommunicate with the DSO through the master meters. Let us now takea look at this meter to meter communication. The traffic that goes overthis communication is readings and events from the meter, control messages,software updates, configuration changes, reading requests, cryptographic keyupdate, price information, break/choke commands and so on.

• SpoofingIdentities to be spoofed are those belonging to the meters. Accordingto Line et.al. [10] it can be possible to spoof the identity of a mastermeter, by using ”[A] compromised slave meter, or some other IT equip-ment, claiming to be a master meter, and trick slave meters to sendtheir communication via this fake master instead of the real master.Alternatively, a slave meter/attacker falsely claims to have the shortestroute to the master, and thus tricks nodes into sending their messagesvia this fake slave node. Consequences of such an attack depend onthe security measures in place, with denial of service and informationdisclosure as potential consequences.” The important security measurefor spoofing is:


– Detection of duplicate meter ID

• TamperingData can be tampered with either on the communication channel be-tween the slave and master meters, or by a compromised master meter.If the communication is tampered with, independent of if it is a wiredor wireless solution, the result can be ...errors in meter reading reports,wrong configuration settings, unauthorised changes of software, or er-roneous or missing alarms. It can also open up for attacks on the HESor the meter nodes (exploits). Attackers may modify messages or insertnew messages.” [10] Also, traffic from a slave meter can be tamperedwith if passing through a compromised master meter, or some othercomputer equipment that have ”stolen” the role as a master meter, ie.a Man in The Middle (MiTM) attack. This can result in the sameas a communication channel that is tampered with, ...errors in meter

11

reading reports, wrong configuration settings, unauthorised changes ofsoftware, or erroneous or missing alarms. It can also open up for at-tacks on the HES or the meter nodes (exploits). Attackers may modifymessages or insert new messages.” [10] The important security measurefor preventing tampering is:



• Repudiation of originRepudiation of origin is very important when considering the securityof smart meters, since billing and response to control messages are theirmain tasks. If there is no way of proving that a meter have receiveda message, for example a request for reading, circuit break, softwareupdate, an adversary can deny of blocking this messages to the meter,and by that blocking a response from the meter. An adversary cansend malicious traffic from a meter to the DSO, with the purpose ofattacking the DSO. The malicious traffic can be for example erroneousalarms, fake meter reports, or exploit code. With no way of provingwhere traffic is sent from, it is difficult or impossible to find the cause ofthe problem, and if someone should be held responsible. The importantsecurity measure for preventing repudiation of origin is:

– Strong integrity control of messages (cryptographic hash)

– The ability to check if a message have been received (acknowledge)

• Information disclosureData sent on the communication channel between slave and mastermeters contain ”...personal data such as meter readings, and also po-tentially confidential data such as software upgrades, configuration set-tings and alarms.” [10]. If an adversary compromise a master meter,or spoofing the identity with one with other computer equipment, thesame information can be disclosed. The important security measurefor preventing information disclosure is:




• Denial of serviceThere are quite a bit of scenarios that can cause a DoS between a slave

12

and a master meter. First, if multiple slave meters are compromised,they can be used to perform a DDoS attack against the master. Also,having access to the communication channel or a meter itself, can givea opening for an adversary to attack a the meter on the other sideexploiting vulnerabilities. Depending on which access an adversaryhave, or is given through exploitation, it can be possible to cut orchoke the power going through the attacked meter, causing an effectiveDoS attack on the user. Depending on the communication channelused between the slave and the master meter, different techniques canbe used to disturb this. For example jamming on a shared channel likewireless or powerline communication. The important security measurefor denial of service is:





– DDoS protection

• Elevation of privilege If a adversary have access to a slave meter, andis able to attack the connected master meter, he can possible exploitvulnerabilities to elevate his privileges on the master. All data goingthrough the master meter can then be compromised. This is informa-tion that is already mentioned, for example personal data like meterreading, but also software, configuration settings, encryption keys andso on. The important security measure for elevation of privilege is:

– Quality of the software on meters


– Access lists

According to Keemik et.al. [7], the interface used for connection third partyequipment to smart meters are read-only, and according to the EU SmartGrid Task Force Work Group 2 [5] the only information transmitted over thisinterface is ”...meter reads, pricing info and tariff info... [10]. And it is noteither possible to request any information from third party equipment, allcommunication is initiated from the meters [10]. This causes very few risks.

• SpoofingNot relevant because of read only privilege

13

• TamperingNot relevant because of read only privilege

• Repudiation of originNot relevant because of read only privilege

• Information disclosureThird party equipment can leak information about meter reads, if it isconnected to another communication channel. This will be discussed ina later section, when going in to some more details on some examples ofthird party equipment. According to [10] probably the only informationdisclosure that can happen over the smart grid from the third partyequipment interface is what kind of equipment is connected. It can thenpossibly be possible for an adversary to see if there are some expensiveequipment worth stealing connected to the grid. Hypothetically, thisinformation can be extracted from the powerline if PLC is used. Theimportant security measure for information disclosure is:

– Limiting information about third party equipment available to themeter

– The ability for the meter to pass on any of this information [10]

• Denial of serviceThird party equipment making a meter unavailable can be possible,with both errors and attacks. Attacks can possibly happen in two ways,A DoS attacked coming from third party equipment is not impossible.”A high number of requests from third party equipment make the meterunable to perform other tasks” or ”Malicious requests from third partyequipment exploit vulnerabilities in a meter in a way that makes themeter unavailable” [10] The important security measure for denial orservice is:

– ”The processing capacity of meter nodes” [10]

– Software quality

• Elevation of privilege Privileges are said to be read only, but if it ispossible to elevate these privileges to write, the scenario changes dra-matically. Then we are in to the impacts that are discussed earlier,when discussing threats if an adversary get access on the meters. Theimportant security measure for elevation of privilege is:

– Quality of the software on meters

14

One last threat are local maintenance on meters. All meters havea communication port, where maintenance people can communicate withthe meters. This port is in most cases an optical serial port, following theANSI C12.18 standard. This can be communicated with using a computerand a ANSI Type-2 Opto-Coupler, see Figure 1. This probe communicatedwith the computer over a RS-232 port or a virtual RS-232 port over USB,and can easily be bought on for example Ebay, or built from easily availableschematics [20]. The standard supports password authentication for read andwrite requests, but from experience, passwords on devices like this are oftendefault or weak. ”Hacking” tools which communicates with smart metersover this port is also available. Termineter from Securestate is such a tool 1.The official description of this tools is as follows [16]:

”Termineter is a framework written in python to provide a plat-form for the security testing of smart meters. It implements theC12.18 and C12.19 protocols for communication. Currently sup-ported are Meters using C12.19 with 7-bit character sets. Ter-mineter communicates with Smart Meters via a connection usingan ANSI type-2 optical probe with a serial interface, and can beused to read and write to the smart meter. ”

• SpoofingNot relevant. Spoofing is not necessary, when access to local mainte-nance interface.

• TamperingWith local maintenance access to the meter, the adversary can tamperwith everything stored on the meter, for example configuration settings,software, encryption keys and private data like readings. The importantsecurity measure for preventing tampering is:


– Strong password

– Principle of least privilege. Limit privilege and functionality toabsolute minimum

– Physical protection

• Repudiation of originIf a meter falsely denies what kind of maintenance have been taking

1https://code.google.com/p/termineter/

15

place over the local interface, it can be difficult or impossible to ”iden-tify the source of any meter problems.” [10]. The important securitymeasure for preventing repudiation of origin is:

– Logging functionality in meter

– Prevention mechanism to avoid log deletion or modification (in-tegrity check)

• Information disclosureIf an adversary, for example a dishonest customer, have physical ac-cess to a meter, he ”...is able to pose as maintenance personnel, andthus gets access to all functionality intended for maintenance personnel.Such functionality is likely to include software updates, configurationupdates, and access to potentially sensitive data such as configurationsettings, software and encryption keys.” [10] The important securitymeasure for preventing spoofing is:


– Strong password



• Denial of serviceWith physical access to the smart meter, probably the easiest and mosteffective attack is to be very primitive and simply crush it. Also, withaccess as already mentioned, configuration can be changed to destroycommunication with DSO, or something as drastically as cutting thepower can be done.


– Strong password



• Elevation of privilegeElevation of privilege is not necessary, since local maintenance accessgive full access to the system.

16

Figure 1: Model A6Z ANSI Type 2 Optical Probe with 9-pin female ‘D’connector wired for the IBM-PC standard.[1]

3.4 Third party equipment, Internet-of-Things

Threats to third party equipment connected to the smart grid through smartmeters, are in some degree already mentioned, but this section will go abit more in to details on examples of third party equipment, and how inworks with the smart grid. This is the part that is considered the Internet-of-Things, together with smart grid. Examples of equipment can be waterheaters and washing machines that run when the energy cost is at it’s mini-mum during the day, but also displays or lights showing the power consump-tion. Of some strange reason, people today want to share everything thathappen in their life with the rest of the world. Strangely enough, this alsoapply to power consumption. There exists devices to automatically Tweetyour power consumption on Twitter, Tweet-a-watt 2, and several solutionto post your consumption on Facebook, for example the WattsUp Facebookapplication and the DIY KYOTO Wattson 3. The Wattson device consistsof a transmitting sensor that are clipped on an house main power cable.The receiver displays the power usage, and changes the colour of it’s lightdepending on the consumption. The receiver is then again connected to acomputer with a USB cable, and is from there capable of posting updates toFacebook through a special app. Although these devices are not directly apart of the smart grid, they are examples of what kind of third party equip-ment that can be connected to the smart grid in the future. The securityproblem with this is especially within information disclosure, and by thatprivacy. When a customer is posting to Twitter or Facebook his power con-sumption, it is easy for adversaries to track when people are leaving theirhouses, and by that know when they can go on a burglar raid, much like

2http://www.ladyada.net/make/tweetawatt/3http://www.diykyoto.com/uk/

17

Figure 2: DIY KYOTO Wattson Classic [9]

the www.pleaserobme.com service, which tell if people are home based onposition data from social mediums like Foursquare, Facebook and Twitter[3]

3.5 Attacking phasors, creating real havoc

Although attacking meters, communication lines and so on is interestingenough, it does not make so much damage. Attacking the DSO can beinteresting enough, but it will probably take a lot of resources and insideknowledge to be able to perform the attack. But what if it was possible toattack the power itself? This would make a very good Denial-of-Service at-tack, which would create a great deal of havoc. Like the 2003 blackout that ismentioned in the introduction of this paper. That would probably be a veryinteresting attack for cyber terrorists. One of the reasons of the 2003 black-out, was that the power got out of phase. To mitigate this problem,PhasorMeasurement Units (PMUs) were developed. The PMUs measures the syn-chrophasors, which are voltage and current phasors referenced to an absolutetime reference. Comparison of the different PMUs phase measurement isdone with the help of timestamps. The result from the PMUs are used tocontrolled phase adjusting equipment. If the PMUs give false result, theycause the power from different connected power sources to get out of phase.This will in turn short the power grid, causing a blackout. But how canone trick the PMUs to give false results you say? Remember, the PMUs aredepended on an absolute time reference? This reference time is provided byGPS time reference modules. This time can be spoofed, using GPS spoof-ing equipment. Difference from regular GPS spoofing, where the positionis spoofed, is that here the GPS receivers Position-Velocity-Time solution isinfluenced.[17] [8]

18

Figure 3: GPS spoofing attack illustrated [17]

4 Vulnerabilities

A lot of the equipment in the smart grid will be commonly used SCADA andPLC systems, controlling and monitoring the power grid. PLCs normallycommunicate using a protocol called Modbus, which in turn is encapsulatedin IP packets, and sent over a normal IP network. So, together with thespecific smart grid equipment, multiple communication protocol is used, buthere, as in most other communication systems today, IP is the most usedone. And, when it comes to IP, there is literally tons of vulnerabilities,and tons of tools which can be used to find them and exploit them. Mappingnetworks and finding vulnerabilities can be done with famous ”hacking” toolslike for example Nmap 4 and Tenable Nessus 5, but also using search engineslike Google, Bing 6 and the already mentioned, Shodan. The MetasploitFramework from Rapid7 is probably the most known exploitation frameworkfor penetration testers. In May 2014, there where 17 hits when searchingthe Metasploit exploit database [13], for the phrase ”SCADA” And evenmore, when extending to search queries like ”PLC”, ”Siemens”, ”Modbus”and so on. The exploitation framework Canvas from Immunity [6] also havea lot of SCADA exploits, but in addition, the Moscow based security firmGleg Ltd., maintains the Agora SCADA+ Pack for Canvas, which promise100% coverage of all public exploits in SCADA, industrial PCs, smart chipsand industrial protocols [8]. They even conduct their own research to findzero-day exploits for this kind of systems [4].

Since we in many cases here are talking about IP, and vulnerabilities inIP bases equipment. Let us now take a look at some specific vulnerabilities,which are common in ”usual” computer equipment communicating over IP,and also very relevant to smart grid equipment.

4http://www.nmap.org5http://www.tenable.com6Yes, it can actually be used for some good! Bing actually have some features that

Google don’t have. For example it is possible to search for domains on one IP, using thequery ip:123.123.123.123

19

4.1 Network segmentation

A potential big vulnerability in the security of the smart grid is that someof the equipment used can be placed in wrong network segments, making itaccessible from the Internet, and make it possible to find with search engineslike Shodan [19]. For example, if you search Shodan for the words ”MeterION” and define port 23, you will get over 100 hits [18]. These are smartmeters from for example Siemens and Schneider.

4.2 Default password

Of some reason, in way to many cases, those who install equipment likeSCADA systems in all sorts of forms, tend not to change the default password.In my career as a penetration tester, I have seen this way to many times, infor example smart meters, heating, ventilation, PDU’s 7 and UPS 8 systems.In the Shodan example in the previous section, a quick Google search givesyou Schneider Electric’s frequently asked questions, where you are given thedefault password [14]:

The login varies from meter to meter but is commonly simplythe model number of the meter as an username such as ”7300”,”7500”, ”7600” with the password of usually ”0” if it has not beenchanged from its default.

Of juridical and ethical reasons the default password have not been tried onthe hosts found with Shodan, but one can assume from previous experiencethat at least a few of the over one hundred systems found still uses the defaultpassword. Default passwords are not only relevant to network access to theequipment, but also on the local maintenance port, which was discussedearlier.

Default passwords are not only relevant to services communicating overIP. The tool Termineter, as discussed earlier, in some cases need a passwordto be able to communicate with the smart meter. If this is default, it is veryeasy, and if it is weak if can in many cases be brute forced.

5 Conclusion

There is no doubt, if not already, smart grids will soon be a part of most peo-ples lives. When building a system like this, which interacts so much with

7Power Distribution Unit8Uninterrupted Power Supply

20

Figure 4: Typical smart meters. Notice the two black dots within the metalframe on the right side. That is the optical serial port. [15]

so many people, security should be considered the most important thing.Probably there is a lot of people thinking about this, but one problem isthat large portions of the smart grid is build up from equipment from an-other era, when this kind of system where standalone system, not connectedto other systems, and if they were, it was a very limited number, and veryfew could access it. Today, when industrial control systems, SCADA sys-tems, and smart grid systems are connected to the Internet, were the entireworld potetially have access, the scenario is a lot different. A PLC with noauthentication mechanism can work great, and be quite secure if it is in astandalone network, with no connection to the outside, but the scenario isturned up side down when it is connected to the Internet, and is responsiblefor switching the power on and off in an entire city block. There will be alot of challenges in the upcomming years, when the rest of the worlds smartgrids are build, and hopefully vendors will open their eyes, and realise thattheir equipment today can be accessed by a lot of people with bad intentions.

21

6 Abbreviation list

AMI Advanced Metering InfrastructureARP Address Resolution ProtocolDDoS Distributed Denial of ServiceDOE Department of EnergyDSO Distribution System OperatorGPRS General Packet Radio ServiceGPS Global Position SystemGSM Groupe Special Mobile

(Global System for Mobile communications)IP Internet ProtocolMiTM Man in The MiddlePDU Power Distribution unitPLC Power Line Communication

Programmable logical ControllerPMU Phasor Measurement UnitSCADA Supervisory Control and Data AcquisitionSTRIDE Spoofing, Tampering, Repudiation, Information disclosure,

Denial of service, Elevation of privilegeTLS The Transport Layer SecurityUPS Uninterrupted Power Supply

References

[1] Abacuselectrics. Probes for a lap-top or desk-top computers.http://www.abacuselectrics.com/ansi.htm. Accessed : 30.apr.2014.

[2] Bishop, M. Computer Security: Art and Science. Addison-WesleyProfessional, 2002.

[3] Flick, T., and Morehouse, J. Securing the smart grid: Next gen-eration power grid security. Elsevier, 2010.

[4] Gleg. Scada+ pack. http://gleg.net/agora scada.shtml. Accessed :08.may.2014.

[5] Grids, T. F. S. Expert group 2: Regulatory recommendations for datasafety, data handling and data protection, 2011.

[6] Immunity. Canvas. http://www.immunitysec.com/products-canvas.shtml. Accessed : 08.may.2014.

22

[7] Keemink, S., and Roos, B. Security analysis of dutch smart meteringsystems. University of Amsterdam (2008).

[8] Knapp, E. D., and Samani, R. Applied Cyber Security and theSmart Grid: Implementing Security Controls into the Modern PowerInfrastructure, 1 ed. Syngress, 4 2013.

[9] Kyoto. Wattson classic. http://www.diykyoto.com/uk/aboutus/wattson-classic. Accessed : 05.may.2014.

[10] Line, M. B., Jaatun, M. G., and Tœndel, I. A. Securitythreats in demo steinkjer. Kartlegging av informasjonssikkerhetsmes-sige sarbarheter i AMS (2012).

[11] Line, M. B., Johansen, G., and Sæle, H. Risikovurdering avams. Kartlegging av informasjonssikkerhetsmessige sarbarheter i AMS(2012).

[12] Microsoft. The stride threat model. http://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx, 2005. Accessed : 30.apr.2014.

[13] Rapid7. Metasploit exploit database. http://www.rapid7.com/db/.Accessed : 08.may.2014.

[14] Schneider-Electric. Problems connecting to an ion meter?http://www.schneider-electric.us/sites/us/en/support/faq/faq main.page?page=content&country=us&lang=en&id=FA212303&redirect=true,2014. Accessed : 11.apr.2014.

[15] SecurState. Remotely attack smart meters with terminetertool. http://blog.securestate.com/termineter-framework-open-source-smart-meter-hacking-tool/. Accessed : 08.may.2014.

[16] Securstate. termineter. https://code.google.com/p/termineter/. Ac-cessed : 30.apr.2014.

[17] Shepard, D. P., Humphreys, T. E., and Fansler, A. A. Evalu-ation of the vulnerability of phasor measurement units to gps spoofingattacks. International Journal of Critical Infrastructure Protection 5, 3(2012), 146–153.

[18] Shodan. Meter ion. http://www.shodanhq.com/search?q=port Ac-cessed : 11.apr.2014.

[19] Shodan. Shodan. http://www.shodanhq.com/, 2014. Accessed :11.apr.2014.

23

[20] Solarshare. Building an ansi type-2 opto-coupler.http://solarshare.net/HT/OC/oc.htm. Accessed : 30.apr.2014.

[21] Sorebo, G. N., and Echols, M. C. Smart Grid Security: An End-to-End View of Security in the New Electrical Grid. CRC Press, 2011.

[22] Swiderski, F., and Snyder, W. Threat Modeling (Microsoft Profes-sional), 1 ed. Microsoft Press, 7 2004.

[23] Xiao, Y. Security and Privacy in Smart Grids. CRC Press, 2013.

24

smart grid networks and security architecture: threat analysis, threat scenarios and vulnerabilities

Technology