Smashing the Smart Grid. Hackers target ZigBee.
- Published
- in Smart Energy
It’s been a good week for scare stories about Smart Energy. Whilst they’ve predictably generated some excellent headlines (and I can’t resist joining in), the facts behind them are very important. We’re rushing into a global energy monitoring and delivery system with little understanding of whether or not it is secure.
What we can predict is that as soon as Smart Meters are deployed, the first impulse of every neighbourhood hacker will be to take control of their school or local government’s heating and air conditioning, just to prove they can. At one level, that’s a local annoyance. If it affects our utility bills it becomes more than an annoyance. And if it were co-ordinated by someone with a more malicious intent, then turning everything on at a peak time would take the grid down. So it’s important that we make sure it is as secure as possible.
That makes the two pieces of news this week a lot more important than just providing the excuse for a good headline. The first announcement was that the Information Trust Institute at the University of Illinois has been granted $18.8 million for a five year research project on securing the Smart Grid. The second piece of good news is the release of a set of ZigBee hacking tools by Joshua Wright at ToorCon11. These will let developers discover what vulnerabilities exist within the ZigBee standard, which is vitally important if it wants to be selected for use in Smart Meters. Josh describes his work as “will hack for SUSHI“. As far as I know he’s not received any sushi for his efforts, let alone an $18.8 million grant. If the Government is serious about the security of the energy supply, they should consider diverting some of that funding in his direction.
So why should we be worried…?
The Smart Grid and Smart Energy initiatives are massive undertakings. Smart Energy alone involves installing at least two new utility meters into most homes – one for electricity and a second for gas. Most countries are looking at a timescale of ten years to complete that process. Even that is probably optimistic – it is a massive undertaking and cost. However, if these meters are rushed out before the security implications (or other practical implications like wireless interference) are sorted out, this cost could be doubled as that deployment might need to be updated or at worst repeated.
The University of Illinois project addresses the grid, driven by the concern of cybercrime and malicious hacking. That’s an important project, as damage to the grid, either deliberate or casual has massive consequences, extending through the entire economy. However, that shouldn’t overshadow the need for security in the home at the Smart Meter level. They still have the potential to provide pain at many different levels.
What are the risks if we get security wrong in Smart Meters?
- The simplest one is annoyance and cost. Smart meters don’t just send meter readings to the utilities; they also enable users or service providers to control the devices around our homes, turning them off when they’re not needed, or when energy costs are high. A breach in security allows this to be manipulated.
At the basic level, this is just an annoyance, but it can pose real dangers. Turning heating off for an elderly resident, or changing settings at a hospital can kill. Small manipulations that ignore messages from the utility about higher short term energy costs can cause a bill to rocket.
Most importantly, anything that reduces customer confidence in smart meters and energy management will result in them reverting to their previous non-smart behaviour. It is going to be an uphill struggle to persuade consumers to use smart energy techniques to reduce their energy consumption. To achieve that, the system needs to be water-tight.
- There’s an even more important reason to make sure smart meters are secure. Utilities are paranoid about security and with good reason. It’s not just because they want to keep customer data secure – there’s another important reason. Where there are two or more utility meters in a house, one of them, probably the electricity meter, will act as the common gateway, transmitting data to and from all of the other meters. This means that other utilities will have to rely on the electricity supplier to carry their data.
The other utilities are paranoid that if the electricity company can gain access to their customer’s usage, then they will be able to offer a competitive package to the user. Knowledge of household energy usage is gold-dust to a utility. If there is any evidence that security is weak and might allow data to be read by a competing utility, the utilities will walk away. For them to participate in sharing a single gateway, their individual data must be secure.
None of the different standards bodies bidding for a part of the Smart Energy market are cavalier about security – they’ve all seen the consequences of getting it wrong and spend considerable time and effort adding it into their specifications. History shows that this is only one step. Security is never broken by the standards bodies themselves, it’s broken by others who look at it from a different perspective and try to crack it. That’s people like Josh. In general, to get interest from this community, products need to be shipping in appreciable volume, as it’s not that interesting to find holes in something that never gets to market. The big wireless standards – GSM, Bluetooth and Wi-Fi have all come under this scrutiny. There are plenty of security attack tools available to test them and they have responded to the flaws that have been exposed. As a result they’re much better standards.
As ZigBee is positioning itself as a major player in the Smart energy market it’s desperately important for it to submit itself to the same investigation, which is why I welcome the announcement of tools for testing it.
Josh makes a very eloquent point in his presentation. “To date, vendors haven’t taken ZigBee security seriously due to the lack of attack tool availability. It’s not going to get better until we have a practical attack surface.”
That excuse is now disappearing. I hope that the ZigBee community makes use of these to test the rigour of its current security mechanisms before it moves to any large scale deployments.
Very interesting – and got me thinking more about the security issues here. As the UK government gradually erodes our personal freedoms, this will be another string to their bow to keep the population suppressed! http://simontaylor.wordpress.com/2009/11/21/whats-so-smart-about-smart-meters/
This whole thing is going to be a complete mess as every country employs different standards, much as we already have different systems for so many things that could be standardised, but the competitive ‘de-facto’ standards just run in parallel.
This is going to be a huge missed opportunity.
To reply to Akiba’s comment, I meant it when I said that this work is as worthy of Government funding as any University project. I don’t believe standards writers do anything other than their best to ensure they have a secure specification, but they’re too close to everything to be sure. In that way the work that people like Akiba and Josh are doing is akin to that of proof readers, heping to correct errors that have been missed.
Escept that it is more important than that. Standards only provide the toolkit for security. It’s up to the people who make real devices to ensure that they use all of those tools. Often, if they don’t perceive a threat, or don’t fully understand what they’re doing, they can introduce security errors despite the standard. (The practice of using 0000 as a Bluetooth PIN is a classic example). Providing tools like this and making them public is one of the best ways to ensure that security is correctly implemented.
I have recently started looking into this area from a utility’s point of view. I therefore find it interesting that the NIST has clearly identified these issues and has teams working on exactly these functions.
http://www.nist.gov/public_affairs/releases/smartgrid_interoperability.pdf
I quote from the very first paragraph of the executive summary: “Without standards, there is the portential for investments to become prematurely obsolete or to be implemented without necessary measures to ensure security.” The third paragraph states: “This report … describes the strategy being pursued to establish standards for ensuring cyber security of the Smart Grid.”
To my mind, that not only acknowledges most of the concerns you have raised but is also trying to address them in the only way a Government can – Standards.
Also note that governments seldom lead. Instead, they follow. The very nature of a democratic setup puts the voter in control. Therefore, parastatal utilities are managed by folk who are paranoid about their public image. To ask them to stick their necks out and take control is futile. They simply won’t do it. It could cost them their jobs. Their tactic for deflecting this risk is to form many committees (e.g. standards committees) that endlessly talk until a clear lead comes from somewhere else. Then only will they move in such a way as to try to give the impression that they were in control all along.
So to get something done, someone else must take the flack, get out there and start making mistakes for them.
Maybe they’re not so stupid after all!
I’ve been working with Josh on Zigbee security and it should be understood that he’s not trying to maliciously attack Zigbee devices. Any protocol that isn’t getting attention by security researchers will be a vulnerable protocol. The fact that Zigbee is undergoing penetration testing by researchers will only serve to strengthen the security by making vulnerabilities known and allowing holes to be patched.
Akiba
FreakLabs Open Source Zigbee Project
http://www.freaklabs.org
I couldn’t agree more. I’ve helped implement Bluetooth in Chip and Pin credit card readers and it’s wonderful to work with an industry that understands end-to-end application security.
There’s no reason why the Smart Energy industry should not do the same. My concern is that they are not. Not only are they ignoring application level security, they’re not even bothering much at the transport layer. To requote Josh “To date, vendors haven’t taken ZigBee security seriously due to the lack of attack tool availability. It’s not going to get better until we have a practical attack surface.”
One issue that Smart Energy devices pose is that the low power ones typically have little processing power. That shouldn’t be an issue, as there are some perfectly good encryption schemes available that don’t need hundreds of MIPS. But because the industry typically sees an 8-bit microprocessor as exotic, they tend to avoid any application layer security.
Nothing here is impossible. As you say, it’s been done before. The difficult bit is alerting a new industry to the fact that they need to make the same degree of effort as others who have previously faced and solved the same problem.
Many of these problems have already been solved by the Point-of-Sales terminal industry.
Consider when you pay for your weekly groceries with a credit card. Does the checkout assistant ask which type of card you want to pay with and then present you with one of several terminals? No! One terminal can connect to many payment networks. Do all the payment networks trust each other?
The answer is they don’t have to because they can all trust the device, without having to trust each other.
The same technology can be applied to Smart Meters. The problem is bigger than which communications channel to use and how to secure it. Application level security is required; relying solely upon comms channel security is a recipe for disaster.