Blackout: Wenn Hacker den Strom abschalten

Dieser Blog Post dient als Hintergrundartikel zum SRF Thementag «Blackout»: Wenn die Schweiz plötzlich keinen Strom mehr hätte vom Montag, 2. Januar 2017, 13.00 bis 22.00 Uhr (SRF News, SRF Kultur Wissen Beitrag)

blackout

Wie ist die Vorgehensweisen von Hackern, die unerlaubten Zugriff auf fremde Systeme erlangen wollen? — beispielsweise im Netzwerk eines Energieversorgungsunternehmens. Basierend auf diesen Muster hat die Compass Security im Rahmen des SRF-1 Blackout Tag gearbeitet. Der Artikel soll Sie sowohl für die Angriffsseite sensibilisieren, als auch wertvolle Tipps zur Abwehr geben.

Wer ist Compass Security

Compass Security ist eine Schweizer Unternehmung aus Rapperswil-Jona und Niederlassungen in Bern und Berlin die versuchen im Auftrag des Kunden die Sicherheit von IT Systemen zu testen. Man nennt diese Tätigkeit auch Penetration Testing oder Ethical Hacking. Im Grunde geht es darum Sicherheitslücken zu finden, bevor diese durch echte Hacker ausgenutzt werden. Wer sich regelmässig testen lässt, der wird massgeblich besser in der Cyber Abwehr.

Vorgehen bei einem Hacker Angriff

Direkte Angriffe

Direkte Angriffe richten sich unmittelbar gegen die IT-Infrastruktur eines Unternehmens. Typischerweise sucht ein Angreifer dabei nach Schwachstellen auf einem Perimeter System, dass ins Internet exponiert ist.
Direkte Angriffe

  1. Ein Angreifer versucht unerlaubten Zugriff auf interne Systeme zu erlangen.
  2. Der Angreifer, beispielsweise vom Internet her, sucht nach offenen Diensten die er möglicherweise für das Eindringen ausnutzen kann.
  3. Ein ungenügend geschützter Dienst erlaubt dem Angreifer Zugriff auf interne Systeme.

Indirekte Angriffe

Im Gegensatz zu direkten Angriffen, nutzen indirekte Angriffe nicht unmittelbar eine Schwachstelle auf einem ins Internet exponierten System aus. Vielmehr versuchen indirekte Angriffe die Perimeter Sicherheit eines Unternehmens zu umgehen.

Variante 1: Man-in-the-Middle / Phishing Angriffe

Indirekte Angriffe

  1. Ein Angreifer schaltet sich in den Kommunikationsweg zweier Parteien. Dies erlaubt ihm das Mitlesen sensitiver Informationen.
  2. Der Angreifer nutzt die erlangten Informationen um unbemerkt auf interne Systeme zuzugreifen.

Variante 2: Malware / Mobile Devices / W-LAN
Indirekte Angriffe

  1. Ein Angreifer infiziert ein Gerät mit Schadsoftware.
  2. Durch die Schadsoftware erlangt der Angreifer Kontrolle über das infizierte Gerät, welches Zugriff auf andere interne Systeme hat.
  3. Zusätzlich kann ein Angreifer über andere Zugriffspunkte ins interne Netzwerk gelangen, beispielsweise über unsichere Wireless-LAN Access Points.

Variante 3: Covert Channel (Inside-Out Attacke)
Indirekte Angriffe

  1. Ein Angreifer präpariert ein Medium wie USB-Sticks oder CD-ROMs mit Schadsoftware.
  2. Der Angreifer bringt sein Opfer dazu das Medium zu verwenden.
  3. Die Schadsoftware wird automatisiert ausgeführt und verbindet sich unbemerkt zurück zum Angreifer. Der Angreifer erhält die Kontrolle über das infizierte Gerät.

Sechs Tipps zur Abwehr

  1. Regelmässige Aktualisierung von Betriebssystem, Browser und Anwendungssoftware
  2. Schutz durch Verwendung von Firewall und Anti-Viren Software
  3. Verwendung von starken Passwörtern, sowie deren regelmässige Änderung
  4. Löschen von E-Mails mit unbekanntem Absender, Sorgfalt beim Öffnen angehängter Dateien
  5. Vorsicht bei der Verwendung von unbekannten Medien wie USB-Sticks oder CD-ROMs
  6. Regelmässige Erstellung von Backups

Wie kann Compass Security Ihre Firma unterstützen?

  • Penetration Tests: Simulation von Angriffen mit oder ohne Insider-Wissen
  • Security Reviews: Überprüfung und Analyse von Systemen und Konfigurationen
  • Incident Response: Unterstützung während und nach Angriffen
  • Security Trainings: Ausbildung und Sensibilisierung

Gerne prüfen wir, ob die Zugriffe auf Ihre wichtigsten Systeme sicher sind!

Referenzen

Unter folgenden Referenzen finden Sie Tipps und Anregungen zu häufig gestellten Fragen.

Making of Compass bIOTech v1.0

The “Internet of Things” (IoT) grows quickly. More and more devices are connected to the Internet to automate tasks and simply life. Fridges automatically order milk, cars are taught to self-drive via a simple update and bridges send live updates about their structural integrity.

According to Gartner’s 2016 Tech Trends, IoT will define the shape of tomorrow’s business. At Compass, we also appreciate the impact of connected devices in the near future, in terms of how they can make our lives easier, and how they can make our information more exposed. With this in mind, we recently opened a new security training on the basics of IoT and their vulnerabilities.

Compass bIOTech v1.0 is our own piece of Hardware in the grand IoT puzzle of devices. This smart device has been designed to measure the moisture level of plant pots using a capacitive sensor. It then connects to the cloud (Hacking-Lab) and an e-mail alert can be sent in case of low humidity level.

But before it reached its v1.0 state, the Compass bIOTech sensor went through multiple stages of development between an original idea and its realisation:

1 – Idea

To give a little life to your office, or to make your living room livelier, green stuff is always a nice addition to your everyday environment. Problem: these things need attention! We all at some point forgot to water a plant, and came back after a day, a weekend, or a longer holiday to find it dried out.

imag0048

The plant of Ivano, at Compass Office Bern

At Compass, we decided to tackle this problem and to grow ourselves a green thumb, green like a circuit board! With no time to spare, Reto Schädler started the design, with a few necessary features in mind:

  1. one must be able to configure the device’s humidity threshold,
  2. a status should be readable directly on the device,
  3. the thing must communicate with a cloud,
  4. the battery should last long.

2 – Circuit Board Design

Schema Compass bIOTech v1.0

Schema Compass bIOTech v1.0

The capacitive humidity sensor consists of a circuit path that is charged via the resistor R5. Using this, we can measured how long it takes until the voltage is half of the operating voltage.

The 32bit ESP8266 Microcontroller Chip is based on the Arduino development environment and has built in Wifi capabilities. It requires an operating voltage of 3.0 – 3.6 Volt and runs at 80MHz.

Since the two AA-Batteries have a voltage level at max. 3V, a Step-Up Convert to 3.3V is necessary. And because of the required battery life time, a Wake-Up chip is used to cut power supply via MOSFET.

Versuchsaufbau Compass bIOTech v1.0

Prototype Compass bIOTech v1.0

3 – Realisation

pcb_both

Left: PCBA 3D Altium Designer, Right: Compass bIOTech v1.0 PCBA

In configuration mode, the chip serves as a Wifi AP and provides DHCP to connecting devices and a web GUI for configuration purposes. In measurement mode, the device connects to the configured SSID/password and submitts moisture level, battery level and firmware version to a dedicated Hacking-Lab services.

 

4 – Where to get your own bIOTech device

We will be giving away a first bunch of bIOTech devices at Swiss Cyber Storm on October 19th in Lucern. Visit the conference and walk by our both. We will be glad to equip you with your own green thumb.

For those who can’t make it to the conference, stay tuned and sign-up for our next IoT security training where we will tinker with the devices interfaces and security issues.

 Grab’em while they’re hot!

Software Defined Radio (SDR) and Decoding On-off Keying (OOK)

This post will give a quick intro into software defined radio (SDR) basics and provide guidance for the decoding of a very simple form of digital modulation (on-off keying).

Device Wireless Specs

Wireless junk hacking is not too difficult. Usually, devices transceive in the 433MHz or 868MHz ISM radio bands. As these bands are somewhat lax with licensing all devices operating in these bands must be capable of tolerating interferences of other band users. Pretty much comparable to the Internet 🙂 The European communications office (ECO) maintains a list of bands for European countries, including Switzerland. The list provides information allocated ranges and its specific purpose e.g. 5000MHz to 5030MHz is reserved to the GALILEO global navigation satellite system (GNSS) project.The US make it even simpler to get up to speed with any junk’s wireless configuration (frequency, modulation types and line coding). Every wireless device approved for the US market must carry an FCC ID. The online catalog provides access to the wireless specs of the devices based on its ID (usually printed on the device’s back or specification sticker).

Radio Observation

Alexandru Csete’s gqrx software defined radio comes in as a handy spectrum analyzer when looking for exact frequencies. It’s mainly based on the GNU radio project and supports all well-known platforms (Ettus USRPs, BladeRF, HackRF, RTL chipset et. al).

For the devices I have at hand (light switches, temperature and humidity sensors, car keys, M-Bus transmitters) it worked out they all operate in the 433MHz and 868MHz bands and can be easily observed with gqrx.

decoding_onoff_keying_gqrx

The spectrum analyzer (mouse tooltip) tells us that the specific light switch is operating at 433.93 MHz. An interestingly enough gqrx supports other fun and geek stuff such as listening to FM radio or eavesdrop on road work and building site radio conversations.

Signal Capturing

Well, signal capturing slightly varies depending on the device and library you use. The device I used for this tutorial is originally an DVB-T USB stick but comes with the relevant Realtek RTL2832 chipset and goes for a few bucks on most major reseller platforms. Check the supported hardware list at the gnuradio site. Hat tip to the Defcon Switzerland folks who provided me with one for cheap.

The following lines give an idea on how to capture signals with the Realtek chipset family of devices.

bla@bli:~$ rtl_sdr -f 433850000 -s 1000000 -g 20 switch.cu8
 Found 1 device(s):
 0:  Realtek, RTL2838UHIDIR, SN: 00000001

Using device 0: Generic RTL2832U OEM
 Found Rafael Micro R820T tuner
 Exact sample rate is: 1000000.026491 Hz
 [R82XX] PLL not locked!
 Sampling at 1000000 S/s.
 Tuned to 433850000 Hz.
 Tuner gain set to 19.70 dB.
 Reading samples in async mode...
 ^CSignal caught, exiting!

User cancel, exiting...

Make sure not to capture at the exact determined frequency of the device but rather slightly above or below as the internal synthesizer will otherwise interfere and overlay the signal. Note, that we chose to sample the signal at a rate of 1 million samples per second (1 Msps) and the output I/Q data was stored in the cu8 format. Some tools create outputs as complex signed int (.cs8, HackRF), others as complex unsignend int (.cu8, RTL) and GNU radio prefers complex float format (.cfile). There is a GNU Radio Companion (GRC) template and Paul Brewer’s rtlsdr-to-gqrx tool for conversion from .cu8 to .cfiles, should one need to pivot between the file types.

Alternatively one could use gqrx and record or replay signals in cfile format (Menu bar => Tools => I/Q recorder, CTRL-I). Note: Replay doesn’t transmit your signal but displays your capture within gqrx.

Signal Inspection

I used inspectrum to inspect my capture files. Once loaded, the capture coloring needs some tweaking but usually gives good hints on simple modulation, codings (e.g. Manchester) and the signal’s symbol rate.

decoding_onoff_keying_inspectrum_load

Usually, slight zoom and adjustment of power max an min sliders allows to easily discover the on-off keying modulation used in the example. Set the correct sample rate and drag the grid over the signal in order to determine the symbol rate of the signal.

decoding_onoff_keying_inspectrum_symbols

The symbol rate of the switch signal is 1631 Hz. Scrolling through the capture will also reveal that the on and off signal of the switch only differ in few locations, share the same bit heading and are being sent multiple times in a sequence. Pressing the button once obviously results in three or more transmissions of the on or off signal.

Signal Decoding

The GRC is the tool of choice for simple digital signal processing. It provides a building block GUI that allows for quick design of processing flows. The following design serves as a quick and dirty approach for OOK demodulation.

decoding_onoff_keying_grc

The relevant variables for the decoding are the sample rate (samp_rate: 1 Msps) and the symbol rate (baud_rate: 1631 Hz) which must be set to the values determined before.

The file source points to .cfile version of the previously captured signals and feeds data into a throttle block to avoid infinite processing speed. The “Complex to Mag^2” and “Threshold” blocks will convert the signal wave forms into a rectangular pulse of ones and zeros. Note, that the data type switched from complex (light blue) to float (orange) with the “Complex to Mag^2” block.

The “Keep 1 in N” block will assure the one bit is represented by a single data point. N is computed as samp_rate/baud_rate. Note, such rough way of signal processing may not work with signals that slightly vary the baud rate or with long lasting sequences. Even with short signals one must expect small errors. The scope sink then displays the decoded binary values.

decoding_onoff_keying_grc_scope_plot

Compare the scope plot to the previous inspectrum screenshot and you will notice that the demodulated signal actually compares with the figure in inspectrum.

Signal Analysis

GRC Visualization Support

None of the visual sinks in GRC provide easy means to visualize binary streams and adjustments to easily spot patterns and variations between streams. Thus, I decided to come up with a custom out-of-tree module for binary visualization and inspection, in short BinViz.

The initial GRC project requires small justifications to feed data into BinViz instead of the WX GUI Scope.

decoding_onoff_keying_grc_binviz

The “Float to Char” block will convert float values into 0x00 and 0x01. Moreover, the “Unpacked to Packed” block will squeeze eight chars into a single byte (e.g. 0x00 0x00 0x00 0x01 0x01 0x01 0x01 0x01 => 0x1F) and feed this into BinViz.

BinViz Configuration

Parameters start, end and drop patterns allow for justification of how streams are displayed and aligned. These parameters take strings composed of 0s and 1s e.g. 01010101 as a preamble or start pattern. The display will start on a new line for each occurrence of the start pattern. On detection of the end pattern the display will wrap to a new line. In case both, the start and end pattern are defined, the display will drop any out-of-bounds bits and only display streams from start to end on a single line each. Once the start pattern is being detected additional occurrences of the pattern will be ignored until the end is detected.

To get rid of long sequences of zero bytes or arbitrary unwanted bit sequences set “skip zero bytes” to true or define a string of 0s and 1s for the drop pattern to be removed. Note, the drop pattern and “skip zero bytes” have precedence over start and end detection patterns.

decoding_onoff_keying_binviz_example

The display itself allows for some semi-live adjustments and manual analysis. E.g. the mouse wheel on the display allows to zoom-in and zoom-out while new bits are being displayed instantly. Once the display is clicked it will stop painting new bits and display a cursor and its x/y-position. In that mode, one could easily count bits or select part of the bitstream for magnification and closer inspection.

Visual Signal Analysis

Earlier analysis using inspectrum lets us observe six occurrences of the on signal when switching on and further six occurrences of the off signal when switching off. For this type of wireless junk it is probably irrelevant how many times the receiver picks up the signal. As noted earlier it is rather a matter of resilience towards other ISM band users to send the signal multiple times. Just to make sure its being picked up, sooner or later.

decoding_onoff_keying_binviz_sequence

BinViz was configured “11010011” for the start and “1001001001001001001” for the end pattern. That way, only relevant data is displayed. Thanks to BinViz capabilities the six on and off signals are easily recognizable as single rows. Moreover, the the differences between the on and off signals is immediately clear.

Looking forward for you contributions https://github.com/CBrunsch/BinViz

Hands-on, IoT Security Training

If you need more hands-on with junk hacking or analysis of IoT devices then you are very welcome to join us for our brand new practise oriented training on “IoT Security” held in German at the Compass head office in Jona on September 20th/21st 2016. Sign-up here.

DCF77 Zeitsignal Manipulation

In diesem Artikel wird aufgezeigt, wie einfach das per Funk ausgestrahlte DCF77 Zeitsignal manipuliert werden kann. DCF77 wird in vielen Bereichen eingesetzt in denen eine genaue Uhrzeit benötigt wird: Von der einfachen Armbanduhr bis zur Industrieanlage.

Was ist DCF77

In Europa existiert seit 1959 der Zeit Sender DCF77. Der Sender verfügt über eine Reichweite von 2000km und befindet sich in Mainflingen – Deutschland. Drei Atomuhren dienen als Zeitbasis. Neuere Empfänger setzen teilweise auf GPS anstelle von DCF77, haben jedoch den Nachteil, dass sie eine Aussenantenne für den Empfang benötigen. Lösungen mit einer Internetanbindung hingegen beziehen ihre Zeit üblicherweise über das Netzwerk.

Bild-Quelle: https://de.wikipedia.org/wiki/DCF77#/media/File:Dcf_weite.jpg

DCF77 Reichweiten Karte

Wo wird DCF77 eingesetzt

Die DCF77 Einsatzgebiete sind unter anderem: Kirchturmuhren, Ampelanlagen, Tarifschaltuhren bei Energieversorgungsunternehmen, Industrieumgebungen, Server, öffentlicher Verkehr, Rundfunk oder normale Wecker und Armbanduhren.

Was sind die Folgen einer Zeitmanipulation

Bei einer Manipulation des Weckers des Nachbarn hält sich der entstehende Schaden im Allgemeinen in Grenzen. Im Gegensatz dazu stehen Automationslösungen wie sie z.B. in der Lebensmittel- oder Chemieindustrie vorkommen, bei denen durch falsche Prozesszeiten immense Schäden entstehen können.
Auch im Bereich der IT-Kommunikation können die Auswirkungen wahrgenommen werden z.B. falls Computerzertifikate nach einer Zeitmanipulation ihre Gültigkeit verlieren, da das Gültigkeitsdatum abgelaufen ist. Die verschlüsselte Kommunikation schlägt somit fehl.

DCF77 Sender im Eigenbau

DCF77 Sender sind im Gegensatz zu Empfängern öffentlich kaum erhältlich. Doch wie sieht es aus, wenn man selbst ein DCF77 Signal aussenden möchte? Der Zeitaufwand um selbst ein Sender (Hardware und Software) mit geringer Reichweite zu bauen, ist ähnlich gross wie einen eigenen Empfänger zu bauen. Die benötigten Informationen zum Bau eines Senders (Protokoll, Sendefrequenz, Modulation) sind im Internet leicht zu finden, werden sie doch auch zum Bau eines Empfängers benötigt.

Um die Anfälligkeit von DCF77 Systemen aufzuzeigen, wurde ein kleiner Sender mit einer Reichweite von ca. 30cm gebaut. Für höhere Reichweiten wäre eine grössere Antenne sowie ein Verstärker nötig. Die Umsetzung wäre mit geringem Aufwand möglich, die Aussendung des Signals jedoch illegal.  Mit dem Sender können beliebig manipulierte Zeitinformationen (Datum/Zeit/Wochentag) gesendet werden, die von den DCF77 Uhren, die sich im Empfangsbereich befinden, übernommen werden.

DECEEF77-Sender

DCF77 Piraten Sender – DECEEF77

Projektziel: DCF77 Piratensender mit kurzer Reichweite. Abgebildet ist die selbstentwickelte Hardware und Software DECEEF77 V.1.0. Der zu sendende Zeitstempel kann nach dem Einschalten bzw. Anschluss der mini USB Stromversorgung, über die drei Tasten (+ / Enter / -) eingestellt werden.

Protokoll

Trägerfrequenz 77.5kHz
Modulation Amplituden Modulation
Bitrate 1 Bit pro Sekunde
0.1 Sekunde Trägerabsenkung Logisches 0
0.2 Sekunde Trägerabsenkung Logisches 1
59. Sekunde Keine Trägerabsenkung

Das folgende Bild stellt die Sendeleistung über die Zeit dar. Jede Sekunde wird die Sendeleistung für 0.1 Sekunden (logisches 0) oder 0.2 Sekunden (logisches 1) abgesenkt, bei der 59 Sekunde findet keine Absenkung statt.

DCF77-AM-Modulation

DCF77-AM-Modulation

Der Zeitstempel wird innerhalb einer Minute vollständig übertragen. Im folgenden Kreisdiagramm sind die 59 Bits, die pro Minute übertragen werden, dargestellt. Pro Sekunde wird ein Bit übertragen, welches durch einen Strich auf dem Kreis eingezeichnet ist.

DCF77-Kreisdiagramm

DCF77-Kreisdiagramm

Der Zeitstempel wird in Bit 21 bis 58 codiert. Die mit P1, P2 sowie P3 gekennzeichneten Bits sind jeweils die Parity Bits die zur Validierung der korrekten Übertragung des Signals genutzt werden.

Hardware DECEEF77

  • µC: Atmel ATMEGA328P-PU
  • 16 MHz Quarz Takt
  • 77.5 kHz Rechteck zu Sinus Filter
  • Operationsverstärker als Verstärker für die Antenne.
  • Eine Ferritstabantenne die für den Empfang des DCF77 Signals gedacht ist, wurde verwendet, um das Signal auszusenden.
  • Print-Design mit Altium Designer

Schaltungsbeschreibung

DECEEF77-Schema

DECEEF77-Schema

Der Mikrocontroller U1 teilt den 16MHz Quarz Takt auf 77.5kHz runter. Auf dem Port PB3 wird entweder ein 5V Rechteck mit dem 77.5kHz Signal ausgegeben, oder PB3 wird hochohmig geschaltet. Es wird somit eine 100% Amplitudenmodulation verwendet (volle Leistung oder keine Leistung). Durch R2 und R4 wird bei hochohmigem Ausgang der Pegel auf 2.5V gehoben.

Durch mehrere Tiefpass-Filter (R6 bis R9, C6, C7, C10 und C11) wird das Rechtecksignal in einen Sinus (respektive Sinus ähnlich) umgewandelt.

DECEEF77-Tiefpassfilter

DECEEF77-Tiefpassfilter

Der Operationsverstärker U3 verstärkt das Signal und koppelt es über den Kondensator C9 auf die Antenne.

DECEEF77-Verstaerker

DECEEF77-Verstaerker

Die Schalter S1, S2 und S3 sind direkt an den Mikrocontroller Ports angeschlossen, die als Pull-Up Eingänge konfiguriert sind. Die Schalter dienen dazu die Zeit einzustellen (+, Enter, -).

DECEEF77-Schalter

DECEEF77-Schalter

U2 ist das LCD Display das über ein 4-Bit Interface verfügt.

DECEEF77-Display

DECEEF77-Display

J1 dient als In-Circuit-Programmier-Interface und verwendet das Standard 6-Pin ISP Layout.

DECEEF77-ISP

DECEEF77-ISP

Der Test

Ein DCF77-Wecker wird dazu verwendet, um die Funktion des Senders zu testen. Nach 3 bis 5 Minuten läuft der Wecker synchron mit dem Sender.

DECEEF77_TEST

Embedded devices and cell phone flash memory acquisition using JTAG

Back in Black (back from Black Hat with a bag full of schwag and branded black shirts). 

Black Hat and DEF CON again allowed insights into latest research and concerns. Where some topics loose grip ( vulnerability scanning, IPv4, DNS, general web issues) others gain momentum (DDoS, mobile computing, smart energy, industrial control and embedded systems). Myself was speaking on the advanced metering infrastructure and specifically on the security of the wireless M-Bus protocol. Slide deck and whitepaper are available for download from the Compass Security news page[1].

At that time, I would like to let you know about a little invention that makes reversing of embedded systems and industrial control devices partially easier. JTAGulator [2]. A device designed by Joe Grand, aka Kingpin and former DEF CON badge designer, with the sole purpose of identifying JTAG PINs and UART serial lines on printed circuit boards (PCB). There is no need to unomunt or desolder devices. JTAGulator can be configured to run on a range of voltages (1.2-3.3V) and features 24 I/Os that are arbitrarily connected to the board in order to identify the relevant pins. Note, that testing for the valid pinout might cause your little device behave strangely while JTAGulator tries to pull lines up and down. Thus, make sure you stay in safe distance 🙂

Now, you wonder !!!@#$ JTAG!!!…understandably. Joint Test Action Group[3], is the name for a standardized hardware interface (IEEE 1149.1) that allows to test and debug integrated circuits. Most embedded devices (cell phones, wireless routers, …) nowadays implement the interface. Having enough information of the target device, the chip and its peripherals could be initialized and accessed using the JTAG interface. Specifically, the interface could allow access to flash memory contents. Thus, the technology comes in handy to acquire cell phone data on a low level or to extract the firmware of embedded devices.

JTAG interfaces are small boxes that interface between the embedded hardware and a common computer. For example, the Swiss based company Amontec[4] provides a high-speed general purpose interface at low cost (120 Euros). The box and its drivers are compatible with the OpenOCD software[5] an on-chip debugger that allows for programming and debugging of embedded devices using some specific command set and the GNU debugger[6]. The Android community[7] has adopted the approach for debug purposes of the Android kernel [8].

With that, I leave you for the moment and I promise we get back to you soon with more summaries on topics of interest.

References
[1] Slides and Whitepaper wireless M-Bus Security, http://www.csnc.ch/en/modules/news/news_0088.html
[2] JTAGulater, http://www.grandideastudio.com/portfolio/jtagulator/
[3] JTAG, http://standards.ieee.org/findstds/standard/1149.1-1990.html
[4] Amontec, http://www.amontec.com/
[5] OpenOCD, http://openocd.sourceforge.net/
[6] GNU Debugger, http://www.gnu.org/software/gdb/
[7] Android Kernel, http://source.android.com/source/building-kernels.html
[8] Video Android Kernel Debugging, http://www.youtube.com/watch?feature=player_embedded&v=JzMj_iU4vx

Compass Crew Member Speaking at Black Hat USA

Cyrill Brunschwiler’s talk was selected “among the very best research available today” to be presented side-by-side with the security industries top researchers on the world’s most renowned security conference – Black Hat USA in Las Vegas.

He will be speaking on “Energy Fraud and Orchestrated Blackouts: Issues with Wireless Metering Protocols (wM-Bus)”.

The work presented provides insights into the security of the Meter Bus (M-Bus) as specified within the relevant standards. The M-Bus is very popular in remote meter reading and has its roots in the heat metering industries. It has continuously been adopted to fit more complex applications during the past twenty years. According to a workshop note, an estimated 15 million devices were relying on the wireless version of M-Bus in 2010. It was analyzed whether smart meters using wireless M-Bus do fit the overall security and reliability needs of the grid or whether such devices might threaten the infrastructure.

The M-Bus standard has been analyzed whether it provides effective security mechanisms. It can be stated that wireless M-Bus seems to be robust against deduction of consumption behaviour from the wireless network traffic. For this reason, it is considered privacy-preserving against network traffic analysis. Unfortunately, vulnerabilities have been identified that render that fact obsolete. The findings are mainly related to confidentiality, integrity, and authentication.

Consequently, smart meters relying on wireless M-Bus and supporting remote disconnects are prone to become subject to an orchestrated remote disconnect which poses a severe risk to the grid. Further issues may lead to zero consumption detection, disclosure of consumption values, and disclosure of encryption keys.

The full abstract is available at https://www.blackhat.com/us-13/briefings.html#Brunschwiler. Hacking-lab.com, OWASP and ICS-labs folks attending either Black Hat or DEFCON drop me a note! I’ll be glad to meet you in person.

Lean Risk Assessment based on OCTAVE Allegro

The article will provide a quick overview and introduction into the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Allegro [1] methodology, its approach and terminology. OCTAVE Allegro is an asset centric and lean risk assessment successor of the OCTAVE method. The method supports a straight-forward qualitative risk assessment and structured threat analysis which mainly fits for smaller organisations (few hundred employees). Figure 1 is based on [2] and groups the methodology steps into four major phases.

OCTAVE Allegro Phases

  • Phase “Establish Drivers” aims to justify and prioritise the measurement criteria for risk for a specific organisation.
  • Phase “Profile Assets” is designed to identify and document logical, technical, physical and people assets.
  • Phase “Identify Threats” focuses on the identification of threats against the identified assets.
  • Phase “Identify and Mitigate Risk” supports the valuation of the risks posed against the critical information assets. Finally, after this step, the mitigation strategy for each of the identified risks is defined.

Figure 1: OCTAVE Allegro steps and phases [2]

OCTAVE Allegro Steps

This section goes through all of the OCTAVE Allegros steps to provide an introduction into the methodology. Moreover, each step will be accompanied by a fictitious example related to AMI. Note, that dark coloured steps in figure 1 are considered major steps in order to conduct a threat analysis whereas light coloured steps are crucial when approaching a complete risk assessment.

Step 1 advises to identify all areas that impact an organisation. The methodology requires for a minimum set of areas which includes safety, health, productivity, reputation, financial and fines. For each of the impact areas, a set of criteria to measure low, medium and high impact must be developed. Table 1 provides an example for loss of revenue in case of data privacy violation. Finally, the major areas will be ranked and assigned values in order to allow for risk scoring. In case five areas have been identified and “legal penalties” is considered the top risk area, then the area would be assigned a five. An example is provided in table 6.

Table 1: OCTAVE Allegro Step 1: Establish Risk Measurement Criteria. Impact Area Example

Step 2 provides guidance in identifying critical information assets for the organisation. The methodology also provides a set of questions and asks for example for the value of assets or the dependency on assets for the day-to-day business of the organisation. Each identified information asset will be attributed additional cornerstone such as the security requirements to make up a whole information asset profile. An example for key material in a smart meter is provided in table 2. Moreover, each profile’s most important security requirement is being identified to support the later valuation of the potential impacts. OCTAVE Allegro does not provide much guidance and structure on how to identify security requirements. A way to model such requirements is by means of misuse cases [3]. The misuse case approach lends it from the unified modelling language (UML) such as used in common software engineering processes where success and fail scenarios of interaction with data and processes is being modelled. Though, the modelling of misuse cases rather focuses on the abuse of such scenarios by malicious actors (misusers).

Table 2: OCTAVE Allegro Step 2: Develop Information Asset Profile. Critical Information Asset Example

Step 3 collects information asset containers in the form of an information asset risk environment map. Information asset containers, as the name implies, can hold, process or somehow get in touch with information assets. The methodology classifies containers as technical, physical and people. Table 3 provides examples for each of the types. Correspondingly, containers are being attributed whether they are of type internal which means under control of the organisation or whether the container is external.

Table 3: OCTAVE Allegro Step 3: Identify Information Asset Containers. Container Examples

For the analysis of an organisation the type column can be attributed with minimal effort. However, for an abstract analysis such as network protocols or embedded devices, some assumptions must be made. There is no general rule on what assumptions to make.

Step 4‘s goal is to identify major areas of concern. Thereby the method foresees to consider all containers and to identify issues that could affect assets within the container. The compiled list of “areas of concern” is then expanded with the according actor, the means to realise the threat, the motive of the actor and the potential outcome. Whereby an outcome is always one out of disclosure, modification, interruption or destruction. The method documentation further lists loss next to destruction. An example, implicitly referencing the affected information asset, is provided in table 4. This step does not aim to identify a complete list of threats but helps to capture the major concerns in short time.

Table 4: OCTAVE Allegro Step 4: Identify Areas of Concern. Area of Concern Example

Note, that I have made use of this step in order to capture area of concerns for the smart meter and wireless M-Bus analysis within my master thesis.

Step 5 ensures structured identification of all potential threats. Threat trees ensure robust consideration of threats. The step relies on four trees in total. Two considering human actors with either technical or physical means and two considering technical and other problems. Part of the “Human Actors Using Technical Means” tree originating of the methodology documentation [1] is shown in figure 2.

Figure 2: OCTAVE Allegro “Human Actors Using Technical Means” Tree [1]

With each information asset, each branch of the four trees will be traversed to ensure thorough coverage and identification of threats. The guidance provides worksheets and questionnaires to simplify the activity. The result of the walk through will be a comprehensive list of threat entries as shown in table 4. Optionally, each resulting list entry can be assigned the probability of the realisation of the concerned threat scenarios with either low, medium or high likelihood.
As this is a tedious task in an assessment based on OCTAVE Allegro, I would not dig too much into it unless the previous step “Identify Areas of Concern” does not provide sufficient material or the analysis significantly lacks coverage. However, if thorough coverage is a requirement, that step cannot be circumvented.

Step 6 consists of a single activity and aims to identify the impact if a certain threat scenario becoming realised. Following that, each threat scenario will be attributed a consequence. Thus, table 4 has been expanded with an additional column to describe the consequence for each scenario. Part of table 4 and the newly added column is shown in table 5.

Table 5: OCTAVE Allegro Step 6: Identify Risks. Risk Example

Step 7 focuses on creation of a relative risk scores for each identified threat scenario. The impact on each impact area as well as the impact area importance will be reflected in the total risk score. The score should help to decide on what mitigation approach to choose in the ultimate step of the methodology. Assumed the impact area ranking in table 6 and threat scenario listed in table 5 the risk score for that specific scenario calculates as shown in table 6.

calculation

Table 6: OCTAVE Allegro Step 7: Analyse Risk. Example Risk Score Calculation

Basically, for each impact area the impact will be measured according to the criteria defined in step 1. An example of such criteria is provided in table 1. High impact will be assigned a value of three and low impact accordingly a value of one. The impact area ranking is then multiplied with the threat scenario impact value whereby the result of that calculation contributes to the total risk score.

Step 8 the ultimate step in the OCTAVE Allegro qualitative risk assessment method deals with the mitigation approach of identified risks. In general risks can be accepted, mitigated, transferred, avoided or being further monitored (deferred) whereas mitigation aims to avoid or limit the risk. However, the efforts for avoidance and limitation should never outweigh a potential impact.
Though numbers have been assigned as risk scores, their specific value only provides indication to whether a risk should to be mitigated or not. One might also take the likelihood of occurrence and some organisation specifics into account. It is suggested to divide the risks into four pools, pool one to pool four, whereby each pool groups threats for a range of the total risk score. The four pools are then approached as follows:

  • Pool 1: Mitigate
  • Pool 2: Mitigate or Defer
  • Pool 3: Defer or Accept
  • Pool 4: Accept

Depending on whether probabilities have been assigned in step 5 of the methodology it is suggested to either form a list of all risks and then split it into four pools or create a matrix which reflects the four pools and takes the probability into account. Finally, a mitigation strategy should be formulated for all risks that need to be mitigated. The mitigation strategy should list the information asset container to which the controls will be applied. Plus, the chosen strategy should consider and outline potential residual risks. An example of such a mitigation strategy is provided in table 7.

Table 7: OCTAVE Allegro Step 8: Select Mitigation Approach. Mitigation Strategy Example

Conclusion

OCTAVE Allegro is a lean risk assessment method and does not provide guidance in selecting security controls as with extensive information security management standards such as ISO 27000 [4]. However, ISO 27002 [5] and NIST SP 800-53 [6] provide a comprehensive list of controls to choose from, if needed.

References

[1] R.A. Caralli, J.F. Stevens, L.R. Young, W.R. Wilson. The OCTAVE Allegro Guidebook, v1.0. Cert Program, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA 15213. May 2007, Online http://www.cert.org/octave/allegro.html
[2] R.A. Caralli, J.F. Stevens, L.R. Young, W.R. Wilson. Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process. CMU/SEI-2007-TR-012, CERT Program, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA 15213. May 2007, Online http://www.cert.org/archive/pdf/07tr012.pdf
[3] G. Sindre and A.L. Opdahl. Eliciting security requirements with misuse cases. Requirements Engineering Vol. 10 No. 1, pp. 34-44. Jun. 2004 (DOI 10.1007/s00766-004-0194-4)
[4] ISO-27000:2009: Information technology – Security techniques – Information security management systems – Overview and vocabulary
[5] ISO 27002:2005: Information technology – Security techniques – Code of practice for information security management
[6] NIST. Security and Privacy Controls for Federal Information Systems and Organizations. Special Publication 800-53, Rev. 4, Final Public Draft, Feb. 2013, Online http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800_53_r4_draft_fpd.pdf

Advanced Metering Infrastructure Architecture and Components

The advanced metering infrastructure (AMI) is typically structured into a bunch of networks and composed of a few major components. Figure 1 provides an overview of all components and most networks. It is made up of the Meter, the Collector and of the server systems at the distribution system operator (DSO) or metering company side.

The subsequent sectionswill briefly introduce the major components of the AMI.

Figure 1: Advanced Metering Infrastructure Networks and Components

Head-end System
The head-end system (HES), also known as meter control system, is located within a metering company network. In most cases the metering company is the responsible DSO. The HES is directly communicating with the meters. Therefore, the HES is located in some demilitarized zone (DMZ) since services and functionality will be provided to the outside.
There is much more infrastructure at the DSO or metering company side. The collected data will be managed within a metering data management system (MDM) which also maps data to the relevant consumer. Depending on the automation level, the metering data will have influence on the DSO actions in order to balance the grid.
Exposing the HES to consumers enables some significant threats to the DSO. For example, an adversary getting hold of the HES could read all consumer data. Moreover, one could control meters or could manipulate usage data or generate alerts in order to disturb the DSO operations or at least trigger the computer incident response team (CIRT) and maybe force the DSO to backup to some business continuity plan (BCP) while analysing and recovering the HES.

Collector
The collector, also known as concentrator or gateway serves as communication node for the HES. Depending on the infrastructure the collector could be a meter itself. Its primary function is to interface between the HES and the meters and/or other collectors within its neighbourhood – the neighbourhood area network (NAN).
Not only the head-end but also the collector exposes threats. The collector is physically exposed to adversaries. Moreover, it has a trust binding to the HES and the NAN side and is thus privileged to communicate with either end. Adversaries might exploit the fact in order to attack the HES. Additionally, on the NAN side, adversaries might impersonate the collector to setup a man-in-the-middle scenario or to invoke arbitrary commands at the meters.

Meter
The meter is installed at consumer premises. When integrated with a collector, it directly communicates to the HES. As a meter it either communicates with the collector or may serve as a relay in order to route packets between nearby meters and the collector. Some meters provide an interface for appliances. With retail consumer that network is known as the home area network (HAN). Meters do also provide local diagnostic ports for manual readout, installation and maintenance tasks as shown in figure 2.
From an attackers perspective the meter is the entry point to building automation, DER and usage data. But the meter is also a relevant part of the smart grid and under no circumstances should its manipulation allow critical influence or affect the availability of the grid or parts of it.

Communication
The infrastructure consist of several networks of which all could rely on absolutely different media and a multitude of protocols. In total, three networks are commonly described when referring to the AMI. The WAN, NAN and HAN.

Wide Area Network
The WAN does connect a meter or collector to the HES. The WAN is sometimes also referred to as the backhaul network. Communication on the WAN link is mostly Internet protocol (IP) based and does commonly rely on standard information technology (IT) media and technology stacks such as fibre optic cables (FOC), digital subscriber line (DSL), general packet radio service (GPRS), multi-protocol label switching (MPLS), power line carrier (PLC) or some sort of private network. A brief overview on PLC for WAN side communication is provided in [1]
The CEN/CENELEC/ ETSI Smart Meter Co-ordination Group (SMCG) does not identify a specific protocol but proposes to rely on “secure and non proprietary protocols and communication platforms” [2] for bulk transmission from collectors that bundle a large number of meters.

Neighbourhood Area Network
The NAN connects meters and collectors. Typical NAN devices are electricity, gas, water or heat meters. organisations sometimes refer to the NAN as local metrological network (LMS) [3], field area network (FAN) [4] or the metering LAN [5].
Although standards such as the IEEE 802.15.4 [6], [7] based ZigBee profiles are gaining momentum, the industry and regulators seam to struggle on a common standard. Utilities among the European union nations seem to prefer the meter bus standard for NAN communication [3] although the ENISA does not list [4] the meter bus as a NAN protocol.

Home Area Network
Depending on the consumer type the HAN could also be named as building area network (BAN) or industrial area network (IAN). Whatever its name is, the purpose of the HAN is to integrate additional gas, water or heat meters. The HAN could allow for intelligent building automation and does also allow the integration of DERs with the smart grid.

Figure 2: Home Area Network and Local Bus Blueprint

To optimize consumption during peak hours a utility might for example decide not to entirely turn off but to throttle large heating, ventilation, and air conditioning (HVAC) appliances to balance the grid. For that purpose, consumers will be required to grant utilities or a third-party supplier access to their appliances. However, intelligent control does not necessarily require the intervention of an external part. Thus, an intelligent HVAC might decide to throttle automatically based on the real-time pricing information provided by the utility.
Meters in the US largely focus on ZigBee for HAN communication [8]. Profiles for home automation and smart energy are specified in [9], [10]. The Europe based open metering system (OMS) group is pushing a specification that relies on M‑Bus whereby the wireless M‑Bus stack is compatible with the KNX specifications [11]. KNX is very popular in home automation.

Local Bus
Common interfaces for diagnostic purposes are provided as two or three-wire serial lines, current loop or as an optical interface [12], [13].

References
[1] M. Rafiei and S. M. Eftekhari, A practical smart metering using combination of power line communication (PLC) and WiFi protocols, In Proceedings of 17th Conference on Electrical Power Distribution Networks (EPDC), 2012, pp. 1–5, May 2012
[2] Smart Meters Co-Ordination Group. Standardization mandate to CEN, CENELEC and ETSI in the field of measuring instruments for the development of an open architecture for utility meters involving communication protocols enabling interoperability M/441: Final Report v0.7. Dec. 2009
[3] Federal Office for Information Security (BSI) Germany. Technische Richtlinie BSI-TR-03109-1: Anforderungen an die Interoperabilität der Kommunikationseinheit eines intelligenten Messsystems, v0.5. 2012
[4] ENISA. Smart Grid Security: Annex I. General Concepts and Dependencies with ICT. 2012
[5] EN 13575-1:2002: Communication system for meters and remote reading of meters – Part 1: Data exchange
[6] IEEE Std 802.15.4:2011. IEEE Standard for Local and metropolitan area networks – Part 15.4: Low-Rate Wireless Personal Area Networks (LR-WPANs)
[7] C. Bennet and D. Highfill. Networking AMI Smart Meters. In Proceedings of Energy 2030 Conference, 2008. ENERGY 2008. IEEE. pp 1-8. Nov. 2008 (DOI 10.1109/ENERGY.2008.4781067)
[8] V. Aravinthan, V. Namboodiri, S. Sunku and W. Jewell. Wireless AMI Application and Security for Controlled Home Area Networks. In Proceedings of Power and Energy Society General Meeting, 2011 IEEE. pp. 1-8. Jul. 2011 (DOI 10.1109/PES.2011.6038996)
[9] ZigBee Alliance. Home Automation Public Application Profile. ZigBee Profile: 0x0104 Revision 26, Version 1.1, Feb. 2010
[10] ZigBee Alliance. Smart Energy Profile Specification. ZigBee Profile: 0x0109, Revision 16, Version 1.1, Mar. 2011
[11] EN50090-4-1:2004. Home and Building Electronic Systems (HBES) Part 4-1: Media independent layers – Application layer for HBES Class 1
[12] EN 13575-6:2008: Communication system for meters and remote reading of meters – Part 6: Local Bus
[13] EN 62056-21:2002, Electricity metering – Data exchange for meter reading, tariff and load control – Part 21: Direct local data exchange

The Metering Infrastructure

I have provided introductions to the electrical and specifically the smart grid earlier on. Today I will briefly introduce the advanced metering infrastructure – its purpose, benefits and issues. Moreover, different approaches to metering and some ongoing security standards and specifications processes and organizations will be referenced.

Purpose of Smart Meters
The reason for smart meters is to enable the operators to improve their infrastructure towards a smarter grid and its six characteristics outlined. A smart meter has several advantages over a traditional mechanical meter. A smart meter does lots more [1], [2] than just providing detailed power consumption data to the operator. Primarily, a smart meter can significantly support the distribution system operator (DSO) to balance the network load and improve reliability.

Thus, a smart meter does not only lower manual reading cost but also enables to more efficiently estimate the load on the generators. It helps to more efficiently integrate distributed energy resources (DER) and helps to monitor the distribution network in order to identify power quality (PQ) issues, misrouted energy flows or fire alerts in case a consumer outage is being detected. Moreover, a meter could be used to push real-time pricing information to the consumer in order to allow appliances in the local network to optimize their power consumption according to the current rates. During an emergency, a meter could allow to disconnect consumers from the power grid. A meter could limit the consumption to a specified amount or could enforce pre-payment for defaulting consumers.

Yet, at time of writing, the effective use cases implemented heavily differ from operator to operator. Whereby all of them support at least remote meter reading. However, a security analysis should take all potential use cases into consideration since it is likely that firmware and hardware is being enhanced to support additional use cases in the near future.

Meter Reading vs. Metering Infrastructure
Typically, literature differs between advanced meter reading (AMR) and the advanced metering infrastructure (AMI) whereby AMR is to be seen as a subset of AMI [3].
AMR provides the metering company with usage data only. AMR does not allow for remote controlled action or advanced collection of power information. Thus, one-way communication from meter to the metering company is sufficient for that approach.
AMI will allow for remote initiated actions and will therefore require a two-way communication protocol. Though the border between the two approaches fades since remote initiated reading will also require for a two-way channel in AMR setups.

North American vs. European Implementations
The US as well as the European countries have developed absolutely independent implementations of the AMI. Nevertheless, the key drivers and business needs are exactly the same. Comparing the two, the preferred communication protocols in either continent are not compatible with each other.
The National Institute of Standards and Technology (NIST) and European Network and Information Security Agency (ENISA) respectively the European Committee for Standardization, the European Committee for Electrotechnical Standardization and the European Telecommunications Standards Institute (CEN/CENELEC/ETSI) mandated by the European Commission drive very similar projects to provide security guidance [4], [5] for smart grid and metering implementations. However, the guidance neither specifically requests for nor does it recommend the use of specific protocols.

References
[1] G. N. Sorebo and M. C. Echols. Smart Grid Security: An End-to-End View of Security in the New Electrical Grid. CRC Press. 2011 (ISBN 978-1-4398-5587-4)
[2] ENISA. Smart Grid Security: Annex I. General Concepts and Dependencies with ICT. 2012
[3] E.D. Knapp. Industrial Network Protocols, AMI and the Smart Grid. In Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems. Syngress. 2011 (ISBN 978-1-59749-645-2)
[4] NIST. Security Profile for Advanced Metering Infrastructure. v2.0, Jun. 2010
[5] ENISA. Smart Grid Security: Recommendations for Europe and Member States. Jul. 2012

Grid, gridder, smart grid

This post will briefly introduce the major aspects and goals of smart grids. For those not familiar with electrical grids, have a look at the former post for a quick intro. This article aims to describe the challenges and requirements smart grids are dealing with. Moreover, the need for an intelligent measurement network – the advances metering infrastructure (AMI) will be outlined

Some electricity industry body defines the smart grid as follows: “A Smart Grid is an electricity network that can intelligently integrate the behaviour and actions of all users connected to it -generators, consumers and those that do both – in order to efficiently ensure sustainable, economic and secure electricity supply. ” [1]. The definition clearly refers to the challenging dynamics of renewable energy resources (RES) whose generation heavily relies on the fluctuate availability of sun light, wind or maybe tides. Unfortunately, it less clearly addresses changes in behavior whereby the smart grid should not only be capable to react on actions but should also directly or indirectly influence consumption behavior.

There have been six major characteristics [2, 3] identified. These characteristics describe the key benefits of a smart grid. The reference even provides additional detail on the characteristics:

  1. “Enables Informed Participation by Customers 
  2. Accommodate s All Generation & Storage Options 
  3. Enables New Products, Services, & Markets 
  4. Provides Power Quality for the Range of Needs 
  5. Optimizes Asset Utilization & Operating Efficiency 
  6. Operates Resiliently to Disturbances, Attacks, & Natural Disasters ”

The upper halve of the characteristics is probably the most interesting from a retail customers view. However, the thesis I am currently working on will map to the part “Operates Resiliently to Disturbances, Attacks” of item six.

For the smart grid the basic electrical grid in the former post is enriched with new elements. The basic domain structure persists but an additional domain hosting distributed generators and distributed storage devices have been added to the smart grid blue print shown in the below figure.

The newly introduced domain hosts all sort of distributed energy resources (DER) such as generators and storages. The blueprint introduces a small wind park which contributes to the distribution domain and a PV installation with rechargeable batteries as buffer storage, Moreover, a freezer and an electrical vehicle (EV) were added to the consumer domain. Actually, the EV is not only a consumer but may also contribute to the grid as a storage in peak times. Its not the single items which are challenging for the grid but its the masses which require for more ‘smartness’. Small systems could also be grouped and centrally managed as a combined power plant to form a steady power resource. A more detailed view on improvements in the transmission and distribution domains with focus on security is given in [4].

Smart Grid Security

Thus, to ensure reliability of the grid the DSO and TSO must ensure that the power consumed and the power generated stays balanced otherwise efficiency and power quality (PQ) suffer. Unfortunately, poor PQ may quickly result in damaged consumer devices. To avoid such scenario, live information and detailed statistics of the consumer behavior, of generators capacity and of storage capacity is needed. Moreover, the operator will need to smartly attach or detach generators and consumer devices (EV) to their local storage or to the grid according to the power needs. The management of the grid balance is also known as demand-response. As good it sounds, management of so many components is much more complex and the recovery of a failure will demand for a controlled re-launch of DERs and bulk generators simultaneously at both ends of the grid. Additionally, dynamic-pricing or real-time pricing (RTP) or critical peak pricing (CPP) could help to reduce peak loads and would result in lower demand-response efforts. For real-time pricing, consumers will be kept informed on the current power rates. Consumers could then decide on whether to run heavy loads at the current pricing.

Hence, reporting consumption and switching loads will require a bi-directional channel being established between operator and consumer. The channel would then allow for delivery of detailed measurement from the consumer and DG side to the operators. Furthermore, it would enable the operator to actively manage DER and to push real-time information to the consumer facilities. The equipment and network necessary is known as the advanced metering infrastructure (AMI). I will provide a closer look to the AMI in upcoming posts. Stay tuned.

In order to securely operate smart grids, NERC (North American Electricity Reliability Corporation) and ENISA (European Network and Informations Security Agency) have prepared appropriate recommendations [5,6].

[1] EURELECTRIC, Smart Grids and Networks of the Future, 201, http://www.eurelectric.org/Download/Download.aspx?DocumentID=26620
[2] U.S. Department of Energy (DOE), 2009 Smart Grid System Report, 2009, http://www.doe.gov/sites/prod/files/2009%20Smart%20Grid%20System%20Report.pdf
[3] U.S. Department of Energy (DOE), 2010 Smart Grid System Report, 2012, http://www.doe.gov/sites/prod/files/2010%20Smart%20Grid%20System%20Report.pdf
[4] G. N. Sorebo and M. C. Echols, Smart Grid Security: An End-to-End View of Security in the New Electrical Grid, CRC Press, 2011, ISBN 978-1-4398-5587-4
[5] NERC Reliability Standards, http://www.nerc.com/page.php?cid=2%7C20
[6] ENISA Smart Grid Security Recommendations, http://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services/smart-grids-and-smart-metering/ENISA-smart-grid-security-recommendations