by Johannes Lintzen, Utimaco
Increasingly, utilities are challenged to modernize their power grid to become "smart." Part of becoming smart means undergoing the transition from traditional one-way communication (from the generation of power through the distribution networks to the consumers) to two-way communication, or advanced metering infrastructure (AMI). As such, the smart grid is an advanced Internet Protocol (IP)-based network based on the same communication model as the Internet. Every energy meter, every communication node in the distribution chain in the smart grid is equipped with an IP address to be able to receive commands (on/off, less/more, tariff information, etc.) and to reply (OK/not OK) to the system, other participants in the network or both.
Two-way communication creates many advantages for both parties, but it also exposes sensitivities when sending commands to one another. Similar to risks in the financial sector, energy companies face an imminent threat of attack because of the high-value assets they hold and the potential impact of a security breach on critical physical infrastructure. As grids become connected and are opened up to the same attack surface as the Internet, critical security solutions also must be put in place.
One example of a typical command and attack scenario in the two-way communication smart grid is the remote disconnect of smart meters. In the "nonsmart" past, a disconnect of an electric meter always required a utility truck's driving to the meter and disconnecting it from the power supply. This could happen for various reasons: unpaid bills, moving, maintenance, etc. Now, smart meters allow for a remote disconnects, meaning a utility simply can send a disconnect command to a specific smart meter to turn off the service. But what would happen if a third party hacked into the system, hijacked the communication and repeated the same "disconnect from the grid" command to 50,000 meters at the same time? With a mass disconnection, the whole power grid could be out of sync, substations could go offline and potentially cause a rolling blackout that could shut down an entire portion of the grid in a county, state or the country.
The need for security and cryptography is necessary to support the smart grid infrastructure. But when talking about smart grid security, consumer privacy must be considered, as well.
Having smart TVs, refrigerators, washing machines and dryers that communicate to a smart meter can help reduce end user costs. Meanwhile, third parties could use information made available to spy on personal habits. All the smart electronic domestic appliances are sending data within the home-area network (HAN) to manage energy consumption efficiency. What if an electric vehicle in the household usually charges overnight? A hacker with access into the HAN possibly could spy on the habits of the household and take control over the vehicle's charge. The most obvious threat is discovering when no one is home based on usage to break into the house and steal something. But a hacker also could disconnect the vehicle from the network.
What if you are unable to drive to work because your electric car was manipulated? Or your electric rate was switched to a much more expensive tariff without your notice?
A hacker also could misuse information by stealing it and also by generating false information about personal habits for selling commercial companies. How would that affect end users? If a lot of households were hacked by someone and detailed information about the energy consumption manipulated (e.g., using the dryer). Information could be generated that indicates 80 percent of households use very old dryers with a high consumption rate. This information could be very valuable to marketers and the dryer industry, which might target that area with marketing materials or send dedicated sales people to stop by the homes.
To avoid unauthorized access and control to the meter and HAN, it is necessary to keep both attack vectors in mind. Securing the infrastructure from blackouts and unauthorized commands is critical, and ensuring that private information cannot be misused is important, too. Both sides must be considered in any environment.
Compared with software solutions, hardware security modules (HSMs) offer strong security even in the most hostile environments. The module can detect attacks, including drilling, heat, power blackout or chemical attack, and automatically delete the keys immediately. In comparison, software-based cryptographic keys can be captured in the moment of unlocking, offering attackers the ability to learn the software, exploit vulnerabilities and run attacks remotely. In addition to the physical safeguarding of keys, the way that keys are generated also must be considered. True random number generation, which relies on the anomalies in physics instead of the constraints of zeroes and ones found in code, enables cryptographic keys that cannot be accessed.
As the power grid becomes smart and embraces two-way communication, paying close attention to what information is generated and how it may be accessed or misused will be critical to the smart growth of the industry.
Johannes Lintzen is vice president of sales and business development at Utimaco. He was instrumental in Utimaco's entrance into the North American market. Lintzen has more than 13 years' working in the security industry, specifically smart cards ID projects, PKI and key management.