Posted by: Jeromie Jackson
AMI, grid compromised, Grid Security, hacking the grid, IED, penetrate the grid, power system security, RTU, security grid, smart grid security, Substation security, USA Energy grid
1- Weak Passwords & Shared Accounts
Intelligent Electronic Devices (IEDs) and Remote Terminal Units (RTUs) receive information from various sensor and power systems. Responses can be evoked by the RTU/IED including changing voltage levels, tripping circuit breakers based on frequency, current, or voltage anomalies. These devices are used in both the transmission and distribution networks.
Most of the IEDs/RTUs do not use user-based authentication. Role-Based access control is relatively flat- there is no concept of a “user.” This means accounts are shared which is definitely a security concern. As employees leave, and service occurs on the equipment, the confidentiality of the password is compromised. Due to the complexity in changing passwords within the devices they generally do not change.
Not only due the IEDs and RTUs in the grid itself only use role-based authentication, smart meter deployments generally use passwords that are shared and consistent throughout the entire meter deployment! There are many Identification & Authentication (I&A) solutions that would provide user-based audit, access control, and authentication. Due to many of these locations having slow links and dialup connections, maintenance of the credentials will be a significant factor in what is implemented.
CyberArk may be a good solution. Their product is a password vault. It protects and manages user accounts. System users log into the vault and then can launch sessions into systems. System accounts are often not changed due to complexity and potential for outage. By scripting the password changes outage is mitigated and passwords can be routinely changed.
2- Lack of Patching
Due to uptime requirements much of the grid has not been patched on a regular basis. Many systems have not been updated for years. Considering the number of vulnerabilities in software in firmware that come out yearly this is a serious concern. Should an attacker gain access privilege escalation, denial of service, and other nefarious activity is easily executed. Mitigation of outages due to patching are generally implemented by having a testing environment and quality back-out procedures. Due to the sensitivity of the environment, and the low-bandwidth currently in place, I do not see patching becoming a timely activity anytime soon.
3- Insecure Communications (Zigbee, Bluetooth, Dialup, Wifi)
Dialup is often used for engineering access to substations. Broadband is often unavailable at many remote substation locations. Security is limited to modem callback and passwords in the answering modem and/or device connected to the modem. Passwords are not user-specific and are seldom changed. A solution is needed that gives modern levels of security while providing for individual user attribution of both authentication and authorization.
Some newer pole-top and other outdoor field equipment supports 802.11 or Bluetooth for near local user access from a maintenance truck. Historically the maintenance personnel had to climb the pole in order to triage the issue. Both 802.11 and Bluetooth have numerous vulnerabilities that have been well documented and demonstrated.
4- Lack of Adequate Audit Logging & Management
Substations often have very limited bandwidth and connectivity. As mentioned, dial-up is often the connection type. Auditing, logging, and proactive management have all bee directly impacted due to the limited bandwidth and lack of continuous connectivity. Some of the stations are located in very rural locations, thus various types of connectivity will have to be evaluated by the energy companies.
5- Mutual Authentication of Devices
Two-Way authentication is going to be required to authenticate AMI devices to head ends, consumers to AMI devices, and many other areas where patches, updates, and changes are necessary, as well as to ensure commands are only being issued from appropriate sources. Without mutual authentication significant risks will be introduced into the system.
Significant obstacles are in the way to improving the security of the energy grid. A lot of attention is being put towards the initial planning and organization stages which should help thwart further implementation of vulnerable applications, processes, protocols, and operations. Blended attacks will certainly be in the attackers bag of tricks. Physical, technological, and procedural security controls will have to be highly scrutinized and continuously tested to ensure a strong security posture.