NIST-IR 7628
So big it needs three PDFs to contain it...
Lots of words, any value?
Let's hear your thoughts!
http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol1.pdf
http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol2.pdf
http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol3.pdf
Friday, September 17, 2010
Thursday, July 1, 2010
New rules in California
http://info.sen.ca.gov/pub/09-10/bill/sen/sb_0801-0850/sb_837_bill_20100622_amended_asm_v93.pdf
(scroll to page 7 and read section 8364.5)
It looks like California is beginning to pay attention to SmartMeters and security. Starting in 2012, power and gas utilities that use SmartMeter/AMI systems will have to post the results of their security audits so the public can review them. There are some additional rules that apply to the vendors that state they have to provide the details of any encryption methods employed as well as provide the results of their own security audit of the system to be deployed.
While these provisions will add burden to the utilities and vendors, I am firmly of the opinion that they are long overdue. One of the major problems developing for the industry is trust. The public has an inherent distrust of large corporations and utilities, and the introduction of AMI has added fuel to the fire. Conspiracy theorists see Big Brother looking out at them from every meter, some (not all) independent security researchers have hyped vulnerabilities as precursors to the Apocalypse without any risk context. The advent of Time of Use and more granular billing structures has had a significant impact on some of the more economically challenged customers, and the press has taken all of this and sensationalized it to sell copy. By requiring these audits and other provisions, the CPUC has mandated that measurable results be published in such a way that they can be used to refute many of the claims that SmartMeters are inherently unsecure.
I am sure the utilities and vendors will raise a ruckus about having additional regulation and about how this will cost them pile of money to comply. I am also certain that there are members of my profession who will cry foul about posting an audit that exposes the weaknesses of a system. I am going to take a stand against the conventional wisdom in the information security industry and say that this is a GOOD thing. The best way to make sure that your weaknesses are not published to the world? Deal with them! Fix the holes, tighten up the procedures, improve the process. That way when you have to publish an audit, you can publish something that has nothing to give you away.
Sadly, security isn't even a second thought in many cases, it is less than an afterthought. Because it is very difficult to quantify a return on investment from security, it is most often only given attention when is is breached, or someone points out that the emperor has a pretty transparent wardrobe. These audits make a business case to improve security.
Time will tell how these rules impact the deployment of AMI...
(scroll to page 7 and read section 8364.5)
It looks like California is beginning to pay attention to SmartMeters and security. Starting in 2012, power and gas utilities that use SmartMeter/AMI systems will have to post the results of their security audits so the public can review them. There are some additional rules that apply to the vendors that state they have to provide the details of any encryption methods employed as well as provide the results of their own security audit of the system to be deployed.
While these provisions will add burden to the utilities and vendors, I am firmly of the opinion that they are long overdue. One of the major problems developing for the industry is trust. The public has an inherent distrust of large corporations and utilities, and the introduction of AMI has added fuel to the fire. Conspiracy theorists see Big Brother looking out at them from every meter, some (not all) independent security researchers have hyped vulnerabilities as precursors to the Apocalypse without any risk context. The advent of Time of Use and more granular billing structures has had a significant impact on some of the more economically challenged customers, and the press has taken all of this and sensationalized it to sell copy. By requiring these audits and other provisions, the CPUC has mandated that measurable results be published in such a way that they can be used to refute many of the claims that SmartMeters are inherently unsecure.
I am sure the utilities and vendors will raise a ruckus about having additional regulation and about how this will cost them pile of money to comply. I am also certain that there are members of my profession who will cry foul about posting an audit that exposes the weaknesses of a system. I am going to take a stand against the conventional wisdom in the information security industry and say that this is a GOOD thing. The best way to make sure that your weaknesses are not published to the world? Deal with them! Fix the holes, tighten up the procedures, improve the process. That way when you have to publish an audit, you can publish something that has nothing to give you away.
Sadly, security isn't even a second thought in many cases, it is less than an afterthought. Because it is very difficult to quantify a return on investment from security, it is most often only given attention when is is breached, or someone points out that the emperor has a pretty transparent wardrobe. These audits make a business case to improve security.
Time will tell how these rules impact the deployment of AMI...
Friday, June 18, 2010
Wake up!!
Time to reactivate this blog. the only thing worse than no blog is a dead one.
Ask yourself a question;
How would you feel about your electric meter being controlled from the Internet? How about getting your Internet from your power meter? Sounds silly, right? Maybe not.
Over the last few conferences, I have gotten the impression that some utilities are looking for a way to reduce infrastructure costs and possibly monetize their proposed AMI networks. There has been a strong push toward higher bandwidth, IP to the meter, and even WiFi on the meter. This all smells like Internet via the meter to me.
I CAN see a reasonable commercial/business reason for this. Internet connectivity reaches most places people live these days so why not use this existing network and save the capital costs? Alternatively, if you are going to all the trouble to install this huge network, why not find a way to make it pay for itself? The Telcos and Cable operators did it, why not the utilities?
Why indeed...
There are a few darn good reasons not to. Consider the risks of combining a major control network with a public access medium. The obvious is that it allows remote access to the meter. I don't care how good you think your built-in firewall is, it isn't good enough to mitigate this risk. To an accomplished hacker a firewall is nothing more than a logging router that does NAT. Remote access to a large block of meters is a primary target. With this you can hold an entire city for ransom, wreak havoc, or even weaponize it for a nation/state actor. Next is the Denial of Service (DOS) attack. it doesn't even need to be directed or deliberate. Once the network used to control meters and collect data is overrun with the latest worm traffic, your expensive new AMI system has reverted to the functional equivalent of the old style electro-mechanical meters.
In coming days and week, I will offer fact, opinion, news, and trivia on the new power grid initiatives from an insiders perspective.
Stay tuned!
Robert
Ask yourself a question;
How would you feel about your electric meter being controlled from the Internet? How about getting your Internet from your power meter? Sounds silly, right? Maybe not.
Over the last few conferences, I have gotten the impression that some utilities are looking for a way to reduce infrastructure costs and possibly monetize their proposed AMI networks. There has been a strong push toward higher bandwidth, IP to the meter, and even WiFi on the meter. This all smells like Internet via the meter to me.
I CAN see a reasonable commercial/business reason for this. Internet connectivity reaches most places people live these days so why not use this existing network and save the capital costs? Alternatively, if you are going to all the trouble to install this huge network, why not find a way to make it pay for itself? The Telcos and Cable operators did it, why not the utilities?
Why indeed...
There are a few darn good reasons not to. Consider the risks of combining a major control network with a public access medium. The obvious is that it allows remote access to the meter. I don't care how good you think your built-in firewall is, it isn't good enough to mitigate this risk. To an accomplished hacker a firewall is nothing more than a logging router that does NAT. Remote access to a large block of meters is a primary target. With this you can hold an entire city for ransom, wreak havoc, or even weaponize it for a nation/state actor. Next is the Denial of Service (DOS) attack. it doesn't even need to be directed or deliberate. Once the network used to control meters and collect data is overrun with the latest worm traffic, your expensive new AMI system has reverted to the functional equivalent of the old style electro-mechanical meters.
In coming days and week, I will offer fact, opinion, news, and trivia on the new power grid initiatives from an insiders perspective.
Stay tuned!
Robert
Thursday, March 25, 2010
Travis Goodspeed's Blog
Another plug for a security blog
Travis is the guy who found and published the PRNG weakness in the TI ZigBee chipset.
Cassandra Security
Just a plug for the guys at Cassandra
Check em out, well reasoned and written fact and opinion
Tuesday, March 23, 2010
Smart Meters - An introduction
- INTRODUCTION
Like any commodity, energy, gas, water and sewage disposal must be measured to be sold. Over time a number of technologies have evolved to accomplish this goal. Naturally as long as there has been a way to meter a service, there have been people trying to figure out how to get around the metering systems and get those services for free. This paper will examine some of the new metering technologies and compare them to the older traditional methods in the light of a secure implementation.
TRADITIONAL METERING (Electro Mechanical)
The way services and utilities have traditionally been monitored has been with a mechanical system. Gas or water runs past some sort of vane which spins, driving gears and turning dials. Similarly a mechanical electric meter uses induction loops to spin an aluminum disk which then turns gears that spin dials. Of course this data needs to be collected to be billed. With this type of metering, a utility will typically get an actual read through a meter reader and use sophisticated statistical modeling to estimate the rest of the time. How often the actual read occurs is really a function of state regulation and utility policy. Now an interesting thing that you can do (among many) is that if you understand the cycle that your utility uses, you can invert the meter. That’s right, pull it out of the socket, turn it over, put it back in and you still get electricity, but the meter runs BACKWARDS! Cool, free electricity as long as you don’t let the meter reader see the meter installed upside down. Some meters had mechanisms to prevent them from running backwards, but not all. A way the utilities have come up with to combat this and other methods of fraud goes back to the sophisticated statistical modeling. If the system sees a significant change in your usage pattern, you get flagged for a live read.
AUTOMATIC METER READING (AMR)
Automated Meter Reading was introduced to accomplish two primary goals; improve the accuracy of metering by getting more live reads, and reduce the work force required to gather meter data. AMR is set up to send the data back to the billing system via some communication method, be it fixed service radio, data over power line, Meter reader with a handheld device, or by a truck driving around and gathering the data over a low power radio link to the meter. AMR introduced another interesting feature: the ability to detect if someone had tampered with the meter. As the technology has advanced, and traditional mechanical meters are replaced, AMR systems have become increasingly prevalent. The major downside to an AMR system is that it is mostly a one way communication system. The meters “bubble up” the data on a periodic basis to the utility. Newer Advanced AMR systems have integrated some limited two way functionality adding features like reading meter data on demand and remote disconnect switches. “Demand Reset” is also a function sometimes provided in two-way AMR. When you track a customer’s peak demand, the meter records the maximum peak instantaneous usage over a period. At the end of that period, you need to reset the demand back to zero so you can record during the next period. In earlier days, there was a locked button or lever the meter reader would press (they had the key) when they did the readings. More modern devices can do it based on a clock. In two-way AMR you can send a demand reset command after you’ve successfully retrieved the demand value. This inevitable march of progress has led us to the latest in service metering technology, AMI.
ADVANCED METER INFRASTRUCTURE (AMI)
Advanced Meter Infrastructure is where it gets cool (and spooky to some). AMI is the natural evolution of AMR technology. A full two way communication system that allows on demand reading, Time of Use (TOU) billing, remote disconnect operation, load limiting, demand response, and more. Where things get really interesting is when a Home Area Network (HAN)is integrated into the meter. Now the meter can talk to properly equipped furnaces, air conditioners, water heaters, micro generation systems, thermostats and In Home Display (IHD) devices that tell you just how much running the dishwasher will cost you to run at 3 in the afternoon vs. 3 in the morning. Past that it enables portable billing and usage of Personal Electric Vehicles (PEV) which can also be leveraged as local storage devices to help manage load spikes on the distribution system. Another interesting feature is the ability to subscribe to a service from the utility that allows them to reduce your power consumption by managing large appliances in return for a lower billing rate.
Notice I said SUBSCRIBE. You have to sign up for it. This is important because for all the really interesting things AMI can do, it has also stirred up some serious political debate. While the technical concerns around security are addressed further on, let us examine the paranoia that AMI has raised. The first fear is that The Government (you know who I mean, the socialist/fascist (sic) fat cats in and around DC) is going to take control of your appliances and dictate when you can use them, and how much. This is followed rapidly by the fear that The Government will collect your usage information and somehow use it against you. None of this is helped by political pundits and demagogues who have decided to whip the masses into a frenzy using this as one of the egg beaters. Politics aside, there ARE some genuine security concerns to look at, and that is one of the things we will look at starting with the next installment, “The Risks”
There are some intermediate steps in the evolution from electro mechanical metering to AMI, but they are outside the scope of this discussion. If you would like more information about the details, Wikipedia has some good articles.
The Power of Security
Pay any attention to the security press and you can't help but notice all the discussion about securing the power grid. My goal with this site is to document events and progress on this topic as well as to offer the opinions of myself and as many experienced professionals in the industry as I can goad into writing.
My opening post will be a sort of quick primer on the history of residential power metering...
My opening post will be a sort of quick primer on the history of residential power metering...
Subscribe to:
Posts (Atom)
Posts
