Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Smart Meter Attacks: Old Vectors Die Hard

Much has been made of the recent attacks against a Puerto Rican utility's smart metering system, and perhaps it's warranted in some ways. After all, theft is theft, whether it's power, your bicycle, or beer out of my fridge. Those of us who reside in North America may not think much of scamming on our $50 a month power bill for our apartment, but utility theft is a major industry elsewhere in the world, particularly for commercial installations. Despite this, it's important to realize that the concept of power theft is nothing new, and that the technology in play is not what is enabling the theft - it is simply changing the way people steal.

Why should we be concerned, but perhaps not hysterical? Two things enabled the theft: physical access and insider corruption. First, as with most pieces of technology, if you have physical access to the device, it's game over. Your server has passwords? I'll rip out the drive. You have full disk encryption? Let's PXE boot and copy your memory. There are ways to slow an attacker down, but ultimately if he/she has physical access, something bad is going to happen.

Second, the concept of bribing/threatening an insider is perhaps an even more powerful one - it's an expansion on the age-old theme of slipping your cable installer an extra $20 for HBO, only in this case you're suggesting you'll break his legs for the keys to your meter box. Given the general disincentive for honesty (and incentive for walking), it would seem field repair personnel are an ideal first target. They have access to diagnostic tools, field manuals, and other information that would prove useful.

Is all this starting to sound familiar? It should - concepts like "physical security" and "insider threat" have been around since the dawn of the security field. That's why these types of attacks should come as little surprise - they apply to smart metering technology just as much as to the mechanical meters of the past. An attack based on one of these concepts is possible no matter what technology is in play. Again, smart metering is not simply enabling people to steal (we've always been able to steal), it's changing the way (and perhaps the uniformity of the way) we steal.

You're probably saying to yourself, "Surely, utilities are taking steps to address this!". As we mentioned in our smart metering tech overview back in 2010 (the same year the FBI study was published), metering companies are actually beginning to take meter security somewhat seriously. While most specifics are slightly cloak and dagger, the majority of smart metering implementations attempt to create a robust, meshed, encrypted grid back to the utility. Granted, the main interest of providers is that they get data consistently and reliably, but some thought has been given to potential grid attacks. On paper at least, the design appears to have been given some decent thought.

Why do we still see attacks, then? One main issue persists - just because the meter manufacturer provides these wonderful features (tamper detection, encryption, custom configuration, etc.) doesn't mean the utility has to actually enable them. It's the equivalent of purchasing a fancy firewall or IDS and sending all your logs to /dev/null. Part of this is no doubt in part due to the slow pace of technological evolution for utilities (SCADA-related systems aren't traditionally known for being cutting edge), and the historical emphasis on stability and uptime (not necessarily bad things when you consider the implications of redundancy at a nuclear power plant).

What may prevent such attacks in the future? Let's start by using those nifty metering features for their intended purpose. If your choice of meter for your grid has a tamper alarm, enable it (hopefully coupled with a decent physical barrier that protects diagnostic ports). Other systems have a check-sum feature, which queries meters to determine firmware revision. It's conceivably easy to fool such checks, but it's a start. Frustrate intruders even more by frequent over the air firmware updates (once every few months). Finally, if all else fails, use fraud analytics (think credit card-style) on power consumption, coupled by common sense - if a consumer's utility bill is suddenly half of what it was last month and the service hasn't changed hands (or the building hasn't burned down), send a spot check crew out to investigate. Oh, and while you're at it, rotate the crew every so often, just in case someone is on the take.

Nothing is a perfect solution, but it's incredibly frustrating for security professionals to see the same familiar classic concepts abused over and over with new technologies, only to have the technology itself (rather than the implementation) blamed for the problem.

Latest SpiderLabs Blogs

Trustwave Rapid Response: CrowdStrike Falcon Outage Update

Trustwave is proactively assessing and monitoring our clients who may have been impacted by CrowdStrike’s recently rolled-out update for its Windows users. The critical issue identified with...

Read More

Using AWS Secrets Manager and Lambda Function to Store, Rotate and Secure Keys

When working with Amazon Web Services (AWS), we often find that various AWS services need to store and manage secrets. AWS Secrets Manager is the go-to solution for this. It's a centralized service...

Read More

Facebook Malvertising Epidemic – Unraveling a Persistent Threat: SYS01

The Trustwave SpiderLabs Threat Intelligence team's ongoing study into how threat actors use Facebook for malicious activity has uncovered a new version of the SYS01 stealer. This stealer is designed...

Read More