Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Smart Meter Attacks: Old Vectors Die Hard

Much has been made of the recent attacks against a Puerto Rican utility's smart metering system, and perhaps it's warranted in some ways. After all, theft is theft, whether it's power, your bicycle, or beer out of my fridge. Those of us who reside in North America may not think much of scamming on our $50 a month power bill for our apartment, but utility theft is a major industry elsewhere in the world, particularly for commercial installations. Despite this, it's important to realize that the concept of power theft is nothing new, and that the technology in play is not what is enabling the theft - it is simply changing the way people steal.

Why should we be concerned, but perhaps not hysterical? Two things enabled the theft: physical access and insider corruption. First, as with most pieces of technology, if you have physical access to the device, it's game over. Your server has passwords? I'll rip out the drive. You have full disk encryption? Let's PXE boot and copy your memory. There are ways to slow an attacker down, but ultimately if he/she has physical access, something bad is going to happen.

Second, the concept of bribing/threatening an insider is perhaps an even more powerful one - it's an expansion on the age-old theme of slipping your cable installer an extra $20 for HBO, only in this case you're suggesting you'll break his legs for the keys to your meter box. Given the general disincentive for honesty (and incentive for walking), it would seem field repair personnel are an ideal first target. They have access to diagnostic tools, field manuals, and other information that would prove useful.

Is all this starting to sound familiar? It should - concepts like "physical security" and "insider threat" have been around since the dawn of the security field. That's why these types of attacks should come as little surprise - they apply to smart metering technology just as much as to the mechanical meters of the past. An attack based on one of these concepts is possible no matter what technology is in play. Again, smart metering is not simply enabling people to steal (we've always been able to steal), it's changing the way (and perhaps the uniformity of the way) we steal.

You're probably saying to yourself, "Surely, utilities are taking steps to address this!". As we mentioned in our smart metering tech overview back in 2010 (the same year the FBI study was published), metering companies are actually beginning to take meter security somewhat seriously. While most specifics are slightly cloak and dagger, the majority of smart metering implementations attempt to create a robust, meshed, encrypted grid back to the utility. Granted, the main interest of providers is that they get data consistently and reliably, but some thought has been given to potential grid attacks. On paper at least, the design appears to have been given some decent thought.

Why do we still see attacks, then? One main issue persists - just because the meter manufacturer provides these wonderful features (tamper detection, encryption, custom configuration, etc.) doesn't mean the utility has to actually enable them. It's the equivalent of purchasing a fancy firewall or IDS and sending all your logs to /dev/null. Part of this is no doubt in part due to the slow pace of technological evolution for utilities (SCADA-related systems aren't traditionally known for being cutting edge), and the historical emphasis on stability and uptime (not necessarily bad things when you consider the implications of redundancy at a nuclear power plant).

What may prevent such attacks in the future? Let's start by using those nifty metering features for their intended purpose. If your choice of meter for your grid has a tamper alarm, enable it (hopefully coupled with a decent physical barrier that protects diagnostic ports). Other systems have a check-sum feature, which queries meters to determine firmware revision. It's conceivably easy to fool such checks, but it's a start. Frustrate intruders even more by frequent over the air firmware updates (once every few months). Finally, if all else fails, use fraud analytics (think credit card-style) on power consumption, coupled by common sense - if a consumer's utility bill is suddenly half of what it was last month and the service hasn't changed hands (or the building hasn't burned down), send a spot check crew out to investigate. Oh, and while you're at it, rotate the crew every so often, just in case someone is on the take.

Nothing is a perfect solution, but it's incredibly frustrating for security professionals to see the same familiar classic concepts abused over and over with new technologies, only to have the technology itself (rather than the implementation) blamed for the problem.