Page 1

Smart Metering - War Stories Eyal Udassin – C4 Security


Introduction Risk Beyond the Home

Overview of 9 Vulnerability Types

Recommendations & Insights

About C4 

Based in Israel, established 2005

Consists of security experts, reverse engineers and protocol analysts

Provide “red team” penetration tests to utilities, financial institutions and governmental agencies

Successfully penetrated electric, gas and water utilities

Our team’s skills enable us to find and exploit vulnerabilities in proprietary systems

Introduction 

National infrastructure utilities directly affect the well-being of nations’ civilians, thus it is a prime target for terrorists

Electricity is usually on the top of the list, as other infrastructures rely on it

An attacker seeks to get control over the entire network, or in some cases just a few critical devices

We strongly believe that in order to thwart such attacks, it is necessary to conduct the same offensive research

Underappreciated Risk 

Millions of meters rolling out each year 

Everyone can tamper with their meters in the privacy of their home

Direct influence on income, which will hopefully offset initial and running costs

Several utilities enable remote connect / disconnect functions

In the micro level, risk is negligible 

Angry customer

Electricity scammer

Underappreciated Risk 

But what about the big picture?

Wide-scale financial loss

Lessons learned from cable/satellite TV

The smart metering network is strikingly similar!

Uncontrolled outages 

The ability to remotely disconnect a customer can be intentionally misused by an attacker

If an aggregated effect can be achieved, it may result in city or national level outages

Instead of seeking the well-protected control center, the outage can be caused by attacking the nodes

Attacker Profile 

Those who seek to harm infrastructure belong to organized crime/terror/national category


West vs. China / Al Qaeda / N. Korea / Whoever…

Teams that gather recon about the target

Can get software and hardware directly from vendors under false pretenses

Scammer Profile 

People who want to reduce their electric bill

And their neighbours

And all their friends

And everyone else for 50 €

Initial research considered as “playing”

As an engineer, it’s quite hard NOT to tamper with the new device that just landed in my

Common Vulnerabilities  

      

Use of public infrastructure Network management from remote nodes Lack of authentication Authentication bypass Slave meter data tampering Slave meter unauthorized disconnection Firmware upgrade vulnerabilities Insecure protocol implementation Input validation

Use of Public Infrastructure 

GPRS clearly the most popular

Most utilities know they need a separate APN 

Some don’t…

GPRS routers found to be accessible from the internet

Attack scenarios   

DoS the routers, extort the utility Redirect traffic to rouge server, offer discounts to customers for a fee Do the telecom’s employees undergo security clearance tests?

Who’s the Boss? 

APN credentials are easily recovered from the meter

Connect your laptop using the SIM and APN information to the grid network

Surprising amount of router, switches and servers that are willing to accept telnet/SSH/other management portal connections

An attacker will gain network management rights given:   

Enough time Simple passwords Lack of alerting mechanism

Who’s the Boss? 

Example  

 

A major utility in Israel Unintentionally allowed the nodes to have SSH access to the mission-specific routers Routers were compromised within 1 hour of brute-forcing The login brute force did not raise any alert We successfully defined our node as the new gateway of the field network – all comms went through our laptop Will you be able to detect such a network change?

Authentication Issues 

Lack of authentication between utility server and meter

In the times that authentication was implemented, we always managed to bypass it

Attack scenarios 

Pretend to be the utility server, send disconnect commands (field-to-field attack)

Falsify meter readings Change meter configuration

 

Much harder for the utility to investigate the malfunction Stuxnet for meters?

Authentication Issues 

 

 

Example of a bad authentication mechanism Exists in at least 2 popular meters  External connection: I want to control you Meter: I am password protected, the password is “topsecret” External connection: topsecret Meter: Awaiting command

Slave Meters 

Viewed as less critical, as their not in direct link with the network

Very easy for mass-fraud devices (gumstix derivatives) 

Remove when the utility technician plans to visit

RF based master-to-slave communication can be used by an attacker to cause a city-wide slave meter disconnection (complex, but possible)

Firmware Upgrades 

Same problems as set-top boxes (cable/ satellite)

Lack of this capability is a huge risk on behalf of the utility 

Never say never

Must be signed, or at least authenticated process.

Otherwise the misuse potential is a “silver bullet” for both scammers and attackers. Think

Conclusion 

Smart grid meters and deployments can be maliciously used in numerous ways

Wide-scale financial impact potential

In extreme cases even outages

All the listed vulnerabilities listed are real vulnerabilities which we uncovered in audits for multiple clients

Conclusion 

There’s A LOT that can be done, as unlike SCADA systems:   

Many vendors Based on modern communication and CPUs Currently no need for backward compatibility - 1st generation

Let’s do it right!

Recommendations 

Know your attacker

Conduct a risk analysis based on that profile

Design the grid with security in mind 

Get a 3rd party unrelated to the project team in order to avoid conflict of interest

 

End to End encryption Secured firmware updates

Periodic integrity tests on meters – avoid stuxnet

Recommendations 

“In god we trust, the rest we test”  

Remember the meter authentication example? Will remain a hidden vulnerability if we limit ourselves to auditing the architecture and not the implementation

Verify, verify, verify 

Your security posture may change due to 3rd party mistakes 

Telco reconfiguring their routers

Meter vendor provides new firmware that opens previously closed vulnerabilities

Ongoing process!


Eyal Udassin - C4 Presentation Smart Grid Vulnerabilties  

Eyal Udassin – C4 Security Overview of 9 Vulnerability Types Recommendations & Insights Introduction www.c4-security...

Read more
Read more
Similar to
Popular now
Just for you