WRD Systems chief technology officer Johan Dams has spent six months looking at a number of smart grid aspects from meters to SCADA systems and believes the levels of security implemented to date are in most cases far below what is required to safeguard against a range of attacks.
“ The first vulnerabilities we found were with the meters themselves. In many cases, hardware ports (like JTAG) were left accessible which meant we could just hook up a laptop and start analyzing the meters’ code. We could then modify this code to make the meter cut power or manipulate readings.
From there we looked at how metering data is transmitted. None of the solutions we looked at included anything more than basic security (if even any). Metering data that was transmitted wirelessly gave especially cause for concern. Using widely available equipment this data can be intercepted, read and manipulated – not to mention the privacy concerns.”
ICS-CERT recently issued a number of alerts relating to networked SCADA systems being discoverable online:
“When we talk about SCADA systems being discoverable online we need to remember that viruses like STUXNET were designed specifically to target and disrupt these systems and are very capable of causing significant damage not just to software but to industrial machinery. These systems were never designed to be networked and making them safe from attack requires a great deal of work”
With the rise of hacking on an industrial scale emanating from various sources, the possibility of a sophisticated attack against infrastructure as vital as the energy grid either in Europe or the US seems to increase almost daily.
So what solutions does Mr Dams propose in order to secure the grid from attack?
“The first thing would be to stop relying on vulnerable generic software at any stage, from laptops to SCADA systems. This includes off the shelf operating systems not designed with security in mind, and security software not meant to be scaled up to the level of complexity of the Smart Grid. Far too often an attack can be launched just by infecting one laptop and waiting for it to pass the infection along to other systems (recent attacks on Facebook, the New York times and Microsoft were launched in this fashion)
Authentication and encryption of metering data would remove a number of vulnerabilities. For this, a push towards a standard is definitely needed since now it consists of a variety of protocols and measures (some proprietary) that cannot be independently verified for correctness.
Protecting networks from DDOS attacks is another important area. A DDOS on a corporate network is one thing, but one launched against the grid can have far worse consequences than email or online storage being unavailable for some time.”
Whatever the future holds for the smart grid, security seems to be high on the agenda.
The paper discussed in this article can be downloaded HERE