Smart Grid Security Loopholes Hit the Enterprise

Posted 12-11-2012

Smart Grid Security Loopholes Hit the Enterprise

By Slade Griffin and Erich Gunther


The ability to manage your own energy destiny is one of the great opportunities of the digitized and interactive smart grid—the place where energy, communications and IT unite. This unprecedented opportunity to receive and respond to energy information will, however, be available not just to industry, but also to every consumer. Such unparalleled access also presents vulnerabilities that require the enterprise to rethink its teams, models and security systems.

Over the past year-and-a-half there has been much talk about critical infrastructure being vulnerable to hackers. Not a month goes by now without a breach of a major online service provider, security company or even the once “safe” control systems. But now, industrial control, building management and utility energy management systems are more exposed than before, since new technologies are being deployed to enable remote communication with previously isolated equipment. In addition, security researchers have increased their focus on the smart grid and its equipment, and are making its vulnerabilities known.

Some vulnerabilities, for example, are announced through alerts by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and are intended to increase awareness among critical infrastructure owners and operators. A potential attacker could monitor the ICS-CERT alerts and use a search engine to locate a vulnerable target. The amount of information publicly available to an attacker could enable him or her to read about a vulnerability, locate the necessary details to exploit the flaw, and find a target on the Internet without ever running a traditional scanning tool.

We tested this scenario recently when ICS-CERT issued advisory 12-146-01 about weak password cryptology that opened a vulnerability in network equipment used for traffic control systems, railroad communications, power plants, electric substations and military sites. Our test team was able to read the advisory, locate a script to execute the flaw on the Internet, and find several vulnerable devices on the Internet using a simple search string. The amount of time from learning of the vulnerability to being able to exploit a vulnerable platform? Less than 10 minutes. With the script and search now automated, we can repeat this in less than 2 minutes. That’s how easily some attacks can be executed.

“How does this happen?” CIOs everywhere often ask. There isn’t a simple answer. Layers of complexity in each environment dictate the correct way to defend your data and other assets. Yet there are some common threads that could help you bolster your defenses regardless of what you’re defending.

Take a close look at your corporate IT, building services and security teams. The addition of a bidirectional energy system linking corporate IT and building infrastructure management may require hiring a security professional who can bridge the new connection in a secure way. Hire the right people—people who are constantly seeking to learn and who understand that what made you secure yesterday may create a vulnerability tomorrow—these employees can be your most valuable asset. A project manager or policy maker should not be making technical decisions that he or she does not understand, and a technical person who cannot manage a program or personnel should also not be tasked with those duties. To properly staff these positions, it may be necessary to train a leader and/or cross-train personnel as you develop them. In addition, a new system of collaboration between different areas must be instituted. In smart grid and control systems, having a seasoned operator/engineer who understands the function and relevant impacts of adverse events is a valuable member of any security team.

Smart Grid Security Loopholes Hit the Enterprise

Fund your security program and give these people more financial power. Security should be 15 to 20 percent of your IT budget every year. If you haven't seen an equipment upgrade or product requisition in a few years, something is wrong. Rarely have we seen an adequately funded security team. In many cases such teams have an independent personnel budget, but must requisition equipment via an IT or networking group. This may work well in some cases and even help foster better relationships through those teams. However, even then, you should give your security team a minimum of “line-item” control and decision-making capability to ensure the technologies they deem the best are applied to your environment.

Yesterday's technology--firewalls, intrusion prevention systems, DMZ/perimeter networks, antivirus software--needs help. Antivirus programs are necessary, but don't rely completely on them. If you think updated definitions protect you, look up “shikata ga nai” or “payload encoding” to see how signature-based protections can be bypassed. Many IT solutions, although they are good ideas, will not work properly in a controlled-system environment. This primarily happens because some IT technologies cannot understand the protocols and/or the rule sets, and functions were not designed with resiliency and availability as the most important function. The "help" is your people: Talented, security-minded people are your best defense. (Are you sensing a theme here?) The attack mentioned above leverages a weakness incorporated by the vendor; however, it can be mitigated by blocking and/or closely monitoring access to sensitive devices such as routers.

No Silver Bullets

No product or service you buy is a silver bullet—and some salespeople and companies will say anything to get a sale. I have seen a few data-loss prevention solutions that are easily bypassed using WinZip software or even the formatting capabilities in standard programs. Test the claims a vendor makes to see whether you can exfiltrate data unnoticed from behind the vendor’s device. And finally, build a testing cycle into any product or service purchase that allows for validation of its marketing material.

Test your environment with real scenarios. Don't prescribe the environment to the testing entity, whether you hired an outside firm or have developed an internal penetration-testing or red team. Additionally, make sure you understand the differences between vulnerability assessments, penetration testing and red teaming. Each type of tests has a place, depending on the types of systems you are testing. For example, while red teaming gives you the best perspective on a real-world attack, you may not want to attempt this in a production environment. Make it as real as possible, or you will not know where you actually stand and could be lulled into a false sense of security. When you get your report, implement the recommendations. If there are no recommendations for the discovered vulnerabilities, you’ve hired the wrong people. If you received only the report or a tool output from a test, you’ve also hired the wrong people.

In the case of the smart grid, with great opportunity comes great responsibility. The rewards of managing industrial or building energy costs stand to be substantial, particularly when paired with a security team and system that’s appropriate for the new model a smart grid introduces.


About the Authors

Erich Gunther is an IEEE Smart Grid technical expert and CTO, EnerNex. Slade Griffin is director of energy systems security, EnerNex.