Blackout: Wenn Hacker den Strom abschalten

Dieser Blog Post dient als Hintergrundartikel zum SRF Thementag «Blackout»: Wenn die Schweiz plötzlich keinen Strom mehr hätte vom Montag, 2. Januar 2017, 13.00 bis 22.00 Uhr (SRF News, SRF Kultur Wissen Beitrag)

blackout

Wie ist die Vorgehensweisen von Hackern, die unerlaubten Zugriff auf fremde Systeme erlangen wollen? — beispielsweise im Netzwerk eines Energieversorgungsunternehmens. Basierend auf diesen Muster hat die Compass Security im Rahmen des SRF-1 Blackout Tag gearbeitet. Der Artikel soll Sie sowohl für die Angriffsseite sensibilisieren, als auch wertvolle Tipps zur Abwehr geben.

Wer ist Compass Security

Compass Security ist eine Schweizer Unternehmung aus Rapperswil-Jona und Niederlassungen in Bern und Berlin die versuchen im Auftrag des Kunden die Sicherheit von IT Systemen zu testen. Man nennt diese Tätigkeit auch Penetration Testing oder Ethical Hacking. Im Grunde geht es darum Sicherheitslücken zu finden, bevor diese durch echte Hacker ausgenutzt werden. Wer sich regelmässig testen lässt, der wird massgeblich besser in der Cyber Abwehr.

Vorgehen bei einem Hacker Angriff

Direkte Angriffe

Direkte Angriffe richten sich unmittelbar gegen die IT-Infrastruktur eines Unternehmens. Typischerweise sucht ein Angreifer dabei nach Schwachstellen auf einem Perimeter System, dass ins Internet exponiert ist.
Direkte Angriffe

  1. Ein Angreifer versucht unerlaubten Zugriff auf interne Systeme zu erlangen.
  2. Der Angreifer, beispielsweise vom Internet her, sucht nach offenen Diensten die er möglicherweise für das Eindringen ausnutzen kann.
  3. Ein ungenügend geschützter Dienst erlaubt dem Angreifer Zugriff auf interne Systeme.

Indirekte Angriffe

Im Gegensatz zu direkten Angriffen, nutzen indirekte Angriffe nicht unmittelbar eine Schwachstelle auf einem ins Internet exponierten System aus. Vielmehr versuchen indirekte Angriffe die Perimeter Sicherheit eines Unternehmens zu umgehen.

Variante 1: Man-in-the-Middle / Phishing Angriffe

Indirekte Angriffe

  1. Ein Angreifer schaltet sich in den Kommunikationsweg zweier Parteien. Dies erlaubt ihm das Mitlesen sensitiver Informationen.
  2. Der Angreifer nutzt die erlangten Informationen um unbemerkt auf interne Systeme zuzugreifen.

Variante 2: Malware / Mobile Devices / W-LAN
Indirekte Angriffe

  1. Ein Angreifer infiziert ein Gerät mit Schadsoftware.
  2. Durch die Schadsoftware erlangt der Angreifer Kontrolle über das infizierte Gerät, welches Zugriff auf andere interne Systeme hat.
  3. Zusätzlich kann ein Angreifer über andere Zugriffspunkte ins interne Netzwerk gelangen, beispielsweise über unsichere Wireless-LAN Access Points.

Variante 3: Covert Channel (Inside-Out Attacke)
Indirekte Angriffe

  1. Ein Angreifer präpariert ein Medium wie USB-Sticks oder CD-ROMs mit Schadsoftware.
  2. Der Angreifer bringt sein Opfer dazu das Medium zu verwenden.
  3. Die Schadsoftware wird automatisiert ausgeführt und verbindet sich unbemerkt zurück zum Angreifer. Der Angreifer erhält die Kontrolle über das infizierte Gerät.

Sechs Tipps zur Abwehr

  1. Regelmässige Aktualisierung von Betriebssystem, Browser und Anwendungssoftware
  2. Schutz durch Verwendung von Firewall und Anti-Viren Software
  3. Verwendung von starken Passwörtern, sowie deren regelmässige Änderung
  4. Löschen von E-Mails mit unbekanntem Absender, Sorgfalt beim Öffnen angehängter Dateien
  5. Vorsicht bei der Verwendung von unbekannten Medien wie USB-Sticks oder CD-ROMs
  6. Regelmässige Erstellung von Backups

Wie kann Compass Security Ihre Firma unterstützen?

  • Penetration Tests: Simulation von Angriffen mit oder ohne Insider-Wissen
  • Security Reviews: Überprüfung und Analyse von Systemen und Konfigurationen
  • Incident Response: Unterstützung während und nach Angriffen
  • Security Trainings: Ausbildung und Sensibilisierung

Gerne prüfen wir, ob die Zugriffe auf Ihre wichtigsten Systeme sicher sind!

Referenzen

Unter folgenden Referenzen finden Sie Tipps und Anregungen zu häufig gestellten Fragen.

Advanced Metering Infrastructure Architecture and Components

The advanced metering infrastructure (AMI) is typically structured into a bunch of networks and composed of a few major components. Figure 1 provides an overview of all components and most networks. It is made up of the Meter, the Collector and of the server systems at the distribution system operator (DSO) or metering company side.

The subsequent sectionswill briefly introduce the major components of the AMI.

Figure 1: Advanced Metering Infrastructure Networks and Components

Head-end System
The head-end system (HES), also known as meter control system, is located within a metering company network. In most cases the metering company is the responsible DSO. The HES is directly communicating with the meters. Therefore, the HES is located in some demilitarized zone (DMZ) since services and functionality will be provided to the outside.
There is much more infrastructure at the DSO or metering company side. The collected data will be managed within a metering data management system (MDM) which also maps data to the relevant consumer. Depending on the automation level, the metering data will have influence on the DSO actions in order to balance the grid.
Exposing the HES to consumers enables some significant threats to the DSO. For example, an adversary getting hold of the HES could read all consumer data. Moreover, one could control meters or could manipulate usage data or generate alerts in order to disturb the DSO operations or at least trigger the computer incident response team (CIRT) and maybe force the DSO to backup to some business continuity plan (BCP) while analysing and recovering the HES.

Collector
The collector, also known as concentrator or gateway serves as communication node for the HES. Depending on the infrastructure the collector could be a meter itself. Its primary function is to interface between the HES and the meters and/or other collectors within its neighbourhood – the neighbourhood area network (NAN).
Not only the head-end but also the collector exposes threats. The collector is physically exposed to adversaries. Moreover, it has a trust binding to the HES and the NAN side and is thus privileged to communicate with either end. Adversaries might exploit the fact in order to attack the HES. Additionally, on the NAN side, adversaries might impersonate the collector to setup a man-in-the-middle scenario or to invoke arbitrary commands at the meters.

Meter
The meter is installed at consumer premises. When integrated with a collector, it directly communicates to the HES. As a meter it either communicates with the collector or may serve as a relay in order to route packets between nearby meters and the collector. Some meters provide an interface for appliances. With retail consumer that network is known as the home area network (HAN). Meters do also provide local diagnostic ports for manual readout, installation and maintenance tasks as shown in figure 2.
From an attackers perspective the meter is the entry point to building automation, DER and usage data. But the meter is also a relevant part of the smart grid and under no circumstances should its manipulation allow critical influence or affect the availability of the grid or parts of it.

Communication
The infrastructure consist of several networks of which all could rely on absolutely different media and a multitude of protocols. In total, three networks are commonly described when referring to the AMI. The WAN, NAN and HAN.

Wide Area Network
The WAN does connect a meter or collector to the HES. The WAN is sometimes also referred to as the backhaul network. Communication on the WAN link is mostly Internet protocol (IP) based and does commonly rely on standard information technology (IT) media and technology stacks such as fibre optic cables (FOC), digital subscriber line (DSL), general packet radio service (GPRS), multi-protocol label switching (MPLS), power line carrier (PLC) or some sort of private network. A brief overview on PLC for WAN side communication is provided in [1]
The CEN/CENELEC/ ETSI Smart Meter Co-ordination Group (SMCG) does not identify a specific protocol but proposes to rely on “secure and non proprietary protocols and communication platforms” [2] for bulk transmission from collectors that bundle a large number of meters.

Neighbourhood Area Network
The NAN connects meters and collectors. Typical NAN devices are electricity, gas, water or heat meters. organisations sometimes refer to the NAN as local metrological network (LMS) [3], field area network (FAN) [4] or the metering LAN [5].
Although standards such as the IEEE 802.15.4 [6], [7] based ZigBee profiles are gaining momentum, the industry and regulators seam to struggle on a common standard. Utilities among the European union nations seem to prefer the meter bus standard for NAN communication [3] although the ENISA does not list [4] the meter bus as a NAN protocol.

Home Area Network
Depending on the consumer type the HAN could also be named as building area network (BAN) or industrial area network (IAN). Whatever its name is, the purpose of the HAN is to integrate additional gas, water or heat meters. The HAN could allow for intelligent building automation and does also allow the integration of DERs with the smart grid.

Figure 2: Home Area Network and Local Bus Blueprint

To optimize consumption during peak hours a utility might for example decide not to entirely turn off but to throttle large heating, ventilation, and air conditioning (HVAC) appliances to balance the grid. For that purpose, consumers will be required to grant utilities or a third-party supplier access to their appliances. However, intelligent control does not necessarily require the intervention of an external part. Thus, an intelligent HVAC might decide to throttle automatically based on the real-time pricing information provided by the utility.
Meters in the US largely focus on ZigBee for HAN communication [8]. Profiles for home automation and smart energy are specified in [9], [10]. The Europe based open metering system (OMS) group is pushing a specification that relies on M‑Bus whereby the wireless M‑Bus stack is compatible with the KNX specifications [11]. KNX is very popular in home automation.

Local Bus
Common interfaces for diagnostic purposes are provided as two or three-wire serial lines, current loop or as an optical interface [12], [13].

References
[1] M. Rafiei and S. M. Eftekhari, A practical smart metering using combination of power line communication (PLC) and WiFi protocols, In Proceedings of 17th Conference on Electrical Power Distribution Networks (EPDC), 2012, pp. 1–5, May 2012
[2] Smart Meters Co-Ordination Group. Standardization mandate to CEN, CENELEC and ETSI in the field of measuring instruments for the development of an open architecture for utility meters involving communication protocols enabling interoperability M/441: Final Report v0.7. Dec. 2009
[3] Federal Office for Information Security (BSI) Germany. Technische Richtlinie BSI-TR-03109-1: Anforderungen an die Interoperabilität der Kommunikationseinheit eines intelligenten Messsystems, v0.5. 2012
[4] ENISA. Smart Grid Security: Annex I. General Concepts and Dependencies with ICT. 2012
[5] EN 13575-1:2002: Communication system for meters and remote reading of meters – Part 1: Data exchange
[6] IEEE Std 802.15.4:2011. IEEE Standard for Local and metropolitan area networks – Part 15.4: Low-Rate Wireless Personal Area Networks (LR-WPANs)
[7] C. Bennet and D. Highfill. Networking AMI Smart Meters. In Proceedings of Energy 2030 Conference, 2008. ENERGY 2008. IEEE. pp 1-8. Nov. 2008 (DOI 10.1109/ENERGY.2008.4781067)
[8] V. Aravinthan, V. Namboodiri, S. Sunku and W. Jewell. Wireless AMI Application and Security for Controlled Home Area Networks. In Proceedings of Power and Energy Society General Meeting, 2011 IEEE. pp. 1-8. Jul. 2011 (DOI 10.1109/PES.2011.6038996)
[9] ZigBee Alliance. Home Automation Public Application Profile. ZigBee Profile: 0x0104 Revision 26, Version 1.1, Feb. 2010
[10] ZigBee Alliance. Smart Energy Profile Specification. ZigBee Profile: 0x0109, Revision 16, Version 1.1, Mar. 2011
[11] EN50090-4-1:2004. Home and Building Electronic Systems (HBES) Part 4-1: Media independent layers – Application layer for HBES Class 1
[12] EN 13575-6:2008: Communication system for meters and remote reading of meters – Part 6: Local Bus
[13] EN 62056-21:2002, Electricity metering – Data exchange for meter reading, tariff and load control – Part 21: Direct local data exchange

The Metering Infrastructure

I have provided introductions to the electrical and specifically the smart grid earlier on. Today I will briefly introduce the advanced metering infrastructure – its purpose, benefits and issues. Moreover, different approaches to metering and some ongoing security standards and specifications processes and organizations will be referenced.

Purpose of Smart Meters
The reason for smart meters is to enable the operators to improve their infrastructure towards a smarter grid and its six characteristics outlined. A smart meter has several advantages over a traditional mechanical meter. A smart meter does lots more [1], [2] than just providing detailed power consumption data to the operator. Primarily, a smart meter can significantly support the distribution system operator (DSO) to balance the network load and improve reliability.

Thus, a smart meter does not only lower manual reading cost but also enables to more efficiently estimate the load on the generators. It helps to more efficiently integrate distributed energy resources (DER) and helps to monitor the distribution network in order to identify power quality (PQ) issues, misrouted energy flows or fire alerts in case a consumer outage is being detected. Moreover, a meter could be used to push real-time pricing information to the consumer in order to allow appliances in the local network to optimize their power consumption according to the current rates. During an emergency, a meter could allow to disconnect consumers from the power grid. A meter could limit the consumption to a specified amount or could enforce pre-payment for defaulting consumers.

Yet, at time of writing, the effective use cases implemented heavily differ from operator to operator. Whereby all of them support at least remote meter reading. However, a security analysis should take all potential use cases into consideration since it is likely that firmware and hardware is being enhanced to support additional use cases in the near future.

Meter Reading vs. Metering Infrastructure
Typically, literature differs between advanced meter reading (AMR) and the advanced metering infrastructure (AMI) whereby AMR is to be seen as a subset of AMI [3].
AMR provides the metering company with usage data only. AMR does not allow for remote controlled action or advanced collection of power information. Thus, one-way communication from meter to the metering company is sufficient for that approach.
AMI will allow for remote initiated actions and will therefore require a two-way communication protocol. Though the border between the two approaches fades since remote initiated reading will also require for a two-way channel in AMR setups.

North American vs. European Implementations
The US as well as the European countries have developed absolutely independent implementations of the AMI. Nevertheless, the key drivers and business needs are exactly the same. Comparing the two, the preferred communication protocols in either continent are not compatible with each other.
The National Institute of Standards and Technology (NIST) and European Network and Information Security Agency (ENISA) respectively the European Committee for Standardization, the European Committee for Electrotechnical Standardization and the European Telecommunications Standards Institute (CEN/CENELEC/ETSI) mandated by the European Commission drive very similar projects to provide security guidance [4], [5] for smart grid and metering implementations. However, the guidance neither specifically requests for nor does it recommend the use of specific protocols.

References
[1] G. N. Sorebo and M. C. Echols. Smart Grid Security: An End-to-End View of Security in the New Electrical Grid. CRC Press. 2011 (ISBN 978-1-4398-5587-4)
[2] ENISA. Smart Grid Security: Annex I. General Concepts and Dependencies with ICT. 2012
[3] E.D. Knapp. Industrial Network Protocols, AMI and the Smart Grid. In Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems. Syngress. 2011 (ISBN 978-1-59749-645-2)
[4] NIST. Security Profile for Advanced Metering Infrastructure. v2.0, Jun. 2010
[5] ENISA. Smart Grid Security: Recommendations for Europe and Member States. Jul. 2012

Grid, gridder, smart grid

This post will briefly introduce the major aspects and goals of smart grids. For those not familiar with electrical grids, have a look at the former post for a quick intro. This article aims to describe the challenges and requirements smart grids are dealing with. Moreover, the need for an intelligent measurement network – the advances metering infrastructure (AMI) will be outlined

Some electricity industry body defines the smart grid as follows: “A Smart Grid is an electricity network that can intelligently integrate the behaviour and actions of all users connected to it -generators, consumers and those that do both – in order to efficiently ensure sustainable, economic and secure electricity supply. ” [1]. The definition clearly refers to the challenging dynamics of renewable energy resources (RES) whose generation heavily relies on the fluctuate availability of sun light, wind or maybe tides. Unfortunately, it less clearly addresses changes in behavior whereby the smart grid should not only be capable to react on actions but should also directly or indirectly influence consumption behavior.

There have been six major characteristics [2, 3] identified. These characteristics describe the key benefits of a smart grid. The reference even provides additional detail on the characteristics:

  1. “Enables Informed Participation by Customers 
  2. Accommodate s All Generation & Storage Options 
  3. Enables New Products, Services, & Markets 
  4. Provides Power Quality for the Range of Needs 
  5. Optimizes Asset Utilization & Operating Efficiency 
  6. Operates Resiliently to Disturbances, Attacks, & Natural Disasters ”

The upper halve of the characteristics is probably the most interesting from a retail customers view. However, the thesis I am currently working on will map to the part “Operates Resiliently to Disturbances, Attacks” of item six.

For the smart grid the basic electrical grid in the former post is enriched with new elements. The basic domain structure persists but an additional domain hosting distributed generators and distributed storage devices have been added to the smart grid blue print shown in the below figure.

The newly introduced domain hosts all sort of distributed energy resources (DER) such as generators and storages. The blueprint introduces a small wind park which contributes to the distribution domain and a PV installation with rechargeable batteries as buffer storage, Moreover, a freezer and an electrical vehicle (EV) were added to the consumer domain. Actually, the EV is not only a consumer but may also contribute to the grid as a storage in peak times. Its not the single items which are challenging for the grid but its the masses which require for more ‘smartness’. Small systems could also be grouped and centrally managed as a combined power plant to form a steady power resource. A more detailed view on improvements in the transmission and distribution domains with focus on security is given in [4].

Smart Grid Security

Thus, to ensure reliability of the grid the DSO and TSO must ensure that the power consumed and the power generated stays balanced otherwise efficiency and power quality (PQ) suffer. Unfortunately, poor PQ may quickly result in damaged consumer devices. To avoid such scenario, live information and detailed statistics of the consumer behavior, of generators capacity and of storage capacity is needed. Moreover, the operator will need to smartly attach or detach generators and consumer devices (EV) to their local storage or to the grid according to the power needs. The management of the grid balance is also known as demand-response. As good it sounds, management of so many components is much more complex and the recovery of a failure will demand for a controlled re-launch of DERs and bulk generators simultaneously at both ends of the grid. Additionally, dynamic-pricing or real-time pricing (RTP) or critical peak pricing (CPP) could help to reduce peak loads and would result in lower demand-response efforts. For real-time pricing, consumers will be kept informed on the current power rates. Consumers could then decide on whether to run heavy loads at the current pricing.

Hence, reporting consumption and switching loads will require a bi-directional channel being established between operator and consumer. The channel would then allow for delivery of detailed measurement from the consumer and DG side to the operators. Furthermore, it would enable the operator to actively manage DER and to push real-time information to the consumer facilities. The equipment and network necessary is known as the advanced metering infrastructure (AMI). I will provide a closer look to the AMI in upcoming posts. Stay tuned.

In order to securely operate smart grids, NERC (North American Electricity Reliability Corporation) and ENISA (European Network and Informations Security Agency) have prepared appropriate recommendations [5,6].

[1] EURELECTRIC, Smart Grids and Networks of the Future, 201, http://www.eurelectric.org/Download/Download.aspx?DocumentID=26620
[2] U.S. Department of Energy (DOE), 2009 Smart Grid System Report, 2009, http://www.doe.gov/sites/prod/files/2009%20Smart%20Grid%20System%20Report.pdf
[3] U.S. Department of Energy (DOE), 2010 Smart Grid System Report, 2012, http://www.doe.gov/sites/prod/files/2010%20Smart%20Grid%20System%20Report.pdf
[4] G. N. Sorebo and M. C. Echols, Smart Grid Security: An End-to-End View of Security in the New Electrical Grid, CRC Press, 2011, ISBN 978-1-4398-5587-4
[5] NERC Reliability Standards, http://www.nerc.com/page.php?cid=2%7C20
[6] ENISA Smart Grid Security Recommendations, http://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services/smart-grids-and-smart-metering/ENISA-smart-grid-security-recommendations