

Hacking the Smart Grid - p3ll0n
http://www.technologyreview.com/computing/25920

======
tptacek
Quick correction: Mike Davis did a lot of fundamental research on the platform
IOActive attacked for Black Hat in 2009, but my understanding is that Travis
Goodspeed wrote the actual exploit code used in the demonstration.

I point this out not to diminish Davis' work, which I'm sure was great, but to
illustrate the extent to which "smart grid" attacks are in vogue right now in
vulnerability research. There were, I believe, at least 4 talks on it at Black
Hat this year. Every software security consultancy in the country has done
multiple projects targeting "smart grid" components in general and automated
metering (AMI) in particular.

Smart grid components are interesting to me not because they're a vector for
flashy (and horrific) real-world attacks, but because they demand a different
strategy for mitigating attacks.

In conventional software, dev teams can rely on a "get it right and then patch
what breaks" approach. While updating software is notoriously difficult, it is
at least a plausible response to a serious security flaw.

When you deploy 100,000 smart meters running RTOS's on TI microcontrollers,
this strategy doesn't work. Anything straightforward you do to make those
meters feasible to update is going to blow up in your face. And this is an
extremely unforgiving place to deploy security countermeasures; you face not
only strict code-size limits on the meters themselves, but also RF protocols
that need to squeeze every bit out of every message.

I think the winning strategy for the "smart grid" is, like Blu-Ray,
renewability. Instead of trying to train 500 microcontroller realtime C devs
in secure code and crypto protocols, people should sit down and devise
mechanisms to recover from security flaws. Things as simple as protocol
versioning, or the ability to shun/revoke specific devices, or the ability to
fault to manual reads are like to make a bigger difference than whether the
devices are using truncated SHA1 vs. SHA256.

------
sophacles
This has been a point of discussion for at least half a decade. The article
has nothing that hasn't been posted to HN before. My take on a the playing
field: Smart grid stuff has a weird confluence of stuff going for it, which is
bad for security, but not as bad as the doom-and-gloom-for-profit folks say it
is.

* Very legacy systems are very much in play, and compatibility is a requirement -- replacement and modernization is extremely expensive and time consuming.

* Old school engineers who hang on to "the power grid is different, we need specialized, non-standard it systems" mentality. This is partially true, but to the point the make it.

* A general distrust of power grid engineers (including software) of anyone claiming that "evil hackers are everywhere". They don't understand certain software issues, like once an exploit is found it is essentially free to take advantage of, which is the exact opposite of may real-life security issues.

* Utilities that view security as a matter of procedural compliance with some set of rules.

These combine for a bleak picture, the tempering tho comes from:

* vendors and regulators (doe, nerc, ferc) are very concerned with security at all levels.

* researchers are starting to show how real, physical damage can be caused by cyber-security problems (not just hypothetical, but demonstrable, bottom line affecting issues).

* recognition by the more pragmatic older engineers that today's "kids" are maybe on to something using commodity communications and software instead of custom everything. This has inherent security benefits in many places.

All that being said, this is a giant field, and the "smart grid" is not one
thing (in fact, if you have n people talking about it, (n-1)^2 definitions of
smart grid will usually emerge) -- security for the grid is an exciting and
interesting place to be.

~~~
tptacek
It's going to be "custom-everything" for the foreseeable future, since the
grid operators want (need) to deploy this stuff in a tower-and-mesh topology.
Even if you managed to build a system out of "COTS" technology (say, GSM and
IP multicast), you'd still be working with technology that gets virtually no
ongoing scrutiny from software security teams.

Unfortunately, I think software security expertise is going to be relegated to
nipping at the edges of this problem, which the vendors and grid operators
appear to be delegating to the "national labs" like Sandia and Idaho.

~~~
sophacles
Meshing is the only reasonable way to network the meters and related
communications (collectively AMI), but at the substation level (for
distribution and transmission networks) you can realistically start using
cots. People like Schweitzer who are already entrenched may try to keep the
custom everything model, but there are serious efforts to at the very least
use a single standard stack. Big pushes for 61850 in the substation and a
common wide area solution for utility-utility and utility-reginal coordinator
communications are happening right now.

They may be somewhat custom, but they are more cots/standardized than
previously. Further there are several FOAs right now that require a built-in
security component. These FOAs fund next-gen technology development, so I am
not sure how you see this as only an "edge problem".

~~~
tptacek
The systems I've worked on are all COTS from the tower on back (but then,
they're all custom apps back there too, so it's not like there's a lot of
safety to be gained from being on an IP network).

But who cares what they're using at the tower? Breaking into the distribution
layer is a vanity attack if you can wreak havoc with 100,000 meters.

People who see "security" as a "component" of a software/hardware solution
typically don't actually "get it"; these are the people that just can't get
their heads around the fact that attackers will rip meters off walls, crack
them open, JTAG them up and use them as modems. It always sounds so self-
aggrandizing to say this, but you have to do security pervasively, from design
to implementation to testing, to make a dent in the problem.

~~~
sophacles
I think we are speaking past each other. You are talking about the problems
that arise from crappy meters. I don't deny this. Further, the security needs
in those meters is high. I say this from a consumer protection and a grid
protection point of view (as in part of a larger defense in depth framework).
And, the meters should be as secure as possible from general principle too.

However, my point is that the doom-and-gloom type scenarios, of "OMG the
meters are insecure, now they own the power grid" is not realistic. There are
other systems on other networks that can isolate and/or shut down places that
have misbehaving meters. This is a result of grid operators being very
paranoid about malfunction -- and at the level you are talking about, this
looks to the grid like a malfunction. There are billions of dollars of
infrastructure to protect, and from that point of view, they have already made
some good moves from security standpoint -- a coordinated effort on many
levels is required to get the grid to a failure state.

Again, I agree that security must be part of the entire process, however there
is the other, equally valid point, which says "at some point, there will be
always cheaters, and as a result this must be dealt with in a cost/benefit
context". In many ways it could be cheaper to go with a fairly insecure smart-
meter and just look for evidence of tampering with statistical comparisons and
the occasional man in the field to look for physical evidence of tampering. I
think this is particularly notable, as there is no good way to prevent people
from getting physical access (security kiss of death) to the meters anyway.

~~~
tptacek
I don't think we're talking past each other. You and I appear to disagree
about the value of a region-wide compromise of smart meters; you point out
that at least the grid operator hasn't lost its distribution network when that
happens, and I point out "so what? attackers are still randomly cutting off
everyone's power!"

The big gap between where you are and where I'm at is that you're operating
under the assumption that all the meters do is count stuff. No.

