Issuu on Google+

Smart Metering - War Stories Eyal Udassin – C4 Security

www.c4-security.com


Contents

Introduction Risk Beyond the Home

Overview of 9 Vulnerability Types

Recommendations & Insights

www.c4-security.com


About C4 

Based in Israel, established 2005

Consists of security experts, reverse engineers and protocol analysts

Provide “red team” penetration tests to utilities, financial institutions and governmental agencies

Successfully penetrated electric, gas and water utilities

Our team’s skills enable us to find and exploit vulnerabilities in proprietary systems www.c4-security.com


Introduction 

National infrastructure utilities directly affect the well-being of nations’ civilians, thus it is a prime target for terrorists

Electricity is usually on the top of the list, as other infrastructures rely on it

An attacker seeks to get control over the entire network, or in some cases just a few critical devices

We strongly believe that in order to thwart such attacks, it is necessary to conduct the same offensive research www.c4-security.com


Underappreciated Risk 

Millions of meters rolling out each year 

Everyone can tamper with their meters in the privacy of their home

Direct influence on income, which will hopefully offset initial and running costs

Several utilities enable remote connect / disconnect functions

In the micro level, risk is negligible 

Angry customer

Electricity scammer www.c4-security.com


Underappreciated Risk 

But what about the big picture?

Wide-scale financial loss

Lessons learned from cable/satellite TV

The smart metering network is strikingly similar!

Uncontrolled outages 

The ability to remotely disconnect a customer can be intentionally misused by an attacker

If an aggregated effect can be achieved, it may result in city or national level outages

Instead of seeking the well-protected control center, the outage can be caused by attacking the nodes www.c4-security.com


Attacker Profile 

Those who seek to harm infrastructure belong to organized crime/terror/national category

Professionals

West vs. China / Al Qaeda / N. Korea / Whoever…

Teams that gather recon about the target

Can get software and hardware directly from vendors under false pretenses www.c4-security.com


Scammer Profile 

People who want to reduce their electric bill

And their neighbours

And all their friends

And everyone else for 50 €

Initial research considered as “playing”

As an engineer, it’s quite hard NOT to tamper with the new device that just landed in my www.c4-security.com


Common Vulnerabilities  

      

Use of public infrastructure Network management from remote nodes Lack of authentication Authentication bypass Slave meter data tampering Slave meter unauthorized disconnection Firmware upgrade vulnerabilities Insecure protocol implementation Input validation www.c4-security.com


Use of Public Infrastructure 

GPRS clearly the most popular

Most utilities know they need a separate APN 

Some don’t…

GPRS routers found to be accessible from the internet

Attack scenarios   

DoS the routers, extort the utility Redirect traffic to rouge server, offer discounts to customers for a fee Do the telecom’s employees undergo security clearance tests? www.c4-security.com


Who’s the Boss? 

APN credentials are easily recovered from the meter

Connect your laptop using the SIM and APN information to the grid network

Surprising amount of router, switches and servers that are willing to accept telnet/SSH/other management portal connections

An attacker will gain network management rights given:   

Enough time Simple passwords Lack of alerting mechanism www.c4-security.com


Who’s the Boss? 

Example  

 

A major utility in Israel Unintentionally allowed the nodes to have SSH access to the mission-specific routers Routers were compromised within 1 hour of brute-forcing The login brute force did not raise any alert We successfully defined our node as the new gateway of the field network – all comms went through our laptop Will you be able to detect such a network change? www.c4-security.com


Authentication Issues 

Lack of authentication between utility server and meter

In the times that authentication was implemented, we always managed to bypass it

Attack scenarios 

Pretend to be the utility server, send disconnect commands (field-to-field attack)

Falsify meter readings Change meter configuration

 

Much harder for the utility to investigate the malfunction Stuxnet for meters? www.c4-security.com


Authentication Issues 

 

 

Example of a bad authentication mechanism Exists in at least 2 popular meters  External connection: I want to control you Meter: I am password protected, the password is “topsecret” External connection: topsecret Meter: Awaiting command www.c4-security.com


Slave Meters 

Viewed as less critical, as their not in direct link with the network

Very easy for mass-fraud devices (gumstix derivatives) 

Remove when the utility technician plans to visit

RF based master-to-slave communication can be used by an attacker to cause a city-wide slave meter disconnection (complex, but possible) www.c4-security.com


Firmware Upgrades 

Same problems as set-top boxes (cable/ satellite)

Lack of this capability is a huge risk on behalf of the utility 

Never say never

Must be signed, or at least authenticated process.

Otherwise the misuse potential is a “silver bullet” for both scammers and attackers. Think www.c4-security.com


Conclusion 

Smart grid meters and deployments can be maliciously used in numerous ways

Wide-scale financial impact potential

In extreme cases even outages

All the listed vulnerabilities listed are real vulnerabilities which we uncovered in audits for multiple clients www.c4-security.com


Conclusion 

There’s A LOT that can be done, as unlike SCADA systems:   

Many vendors Based on modern communication and CPUs Currently no need for backward compatibility - 1st generation

Let’s do it right!

www.c4-security.com


Recommendations 

Know your attacker

Conduct a risk analysis based on that profile

Design the grid with security in mind 

Get a 3rd party unrelated to the project team in order to avoid conflict of interest

 

End to End encryption Secured firmware updates

Periodic integrity tests on meters – avoid stuxnet

www.c4-security.com


Recommendations 

“In god we trust, the rest we test”  

Remember the meter authentication example? Will remain a hidden vulnerability if we limit ourselves to auditing the architecture and not the implementation

Verify, verify, verify 

Your security posture may change due to 3rd party mistakes 

Telco reconfiguring their routers

Meter vendor provides new firmware that opens previously closed vulnerabilities

Ongoing process!

www.c4-security.com


Questions?

www.c4-security.com


Eyal Udassin - C4 Presentation Smart Grid Vulnerabilties