Cyber Protection of Critical Infrastructure is becoming "Imperative"

ABI Research estimates that cyber security spending for critical infrastructure will hit $46 billion globally by the end of 2013

The digitisation of critical infrastructures has provided substantial benefits in terms of socio-economic developments – improved productivity, better connectivity, greater efficiencies. Yet some of these attributes also carry significant risks. Always-on Internet connectivity has ushered in a new cyber-age where the stakes are higher.

Disruption and destruction through malicious online activities are the new reality: cyber-espionage, cyber-crime, and cyber-terrorism. Despite the seemingly virtual nature of these threats, the physical consequences can be quite tangible.

The cyber protection of critical infrastructure has become the most immediate primary concern for nation states. The public revelation of wide-spread state-sponsored cyber-espionage presages an era of information and cyber warfare on a global scale between countries, political groups, hacktivists, organised crime syndicates, and civilian society – in short, to anyone with access to an Internet-connected device. The focus on cyber security is becoming imperative.

While some industries have had highly advanced cyber-defense and security mechanisms in place for some time (i.e. the financial sector), others are severely lacking and only just starting to implement measures (i.e. energy, healthcare). The drivers for the market in related products and services are numerous, but in large part many will be propelled by national cyber security strategies and policies.

ABI Research estimates that cyber security spending for critical infrastructure will hit $46 billion globally by the end of 2013. Increased spending over the next five years will be driven by a growing number of policies and procedures in education, training, research and development, awareness programs, standardisation work, and cooperative frameworks among other projects.

This Market Data on “Critical Infrastructure Security” breaks down spending for eight verticals: Defense, Energy, Financial, Healthcare, ICT, Public Security, Transport, and Water and Waste Management. The data is split by region (North America, Europe, Asia-Pacific, Latin America, the Middle East & Africa), by sector (private/public) and by type (product/service).

These findings are part of ABI Research’s Cyber Security Research Service.

Securing The Smart Grid

With reports of regular cyber attacks targeting the US smart grid, should UK energy and utilities rethink their approach to security?

"With greater connectivity comes the even bigger need for better energy efficiency, from which the concept of the smart grid was born. The idea of the smart grid is to use IT to gather and act on behavioural information from both consumers and suppliers in an automated fashion to improve the efficiency, reliability, economics, and sustainability of the production and distribution of electricity. However, along with higher energy consumption, greater connectivity also entices a far greater number of security risks."

Continue reading on the Guardian Media Network.

China Gets Serious about Grid Security

China announced its plans for a massive increase in smart grid security spending in an effort to contain risks that may arise from its aggressive smart grid expansion

What happened

Fears that it’s rapidly expanding electricity infrastructure may be vulnerable to security and cyber attacks prompted China to announce plans of staggering increase in smart grid security spending. Representing an annual compound growth rate (CAGR) of almost 45%, grid defense spend will grow from US$1.8b in 2011 to US$ 50b by 2020.

Background

A new report by the business analysts at GlobalData described China’s smart grid security situation as an anomaly due to the scale of expenditure when compared with that of other regions. For example, Europe and North America combined are predicted to spend a comparatively modest US$16b on cyber security during the same forecast period.

But to put things in perspective, the GlobalData research also offers the insightful observations on China’s grid security policy:

• China has a strained relationship with a number of nations in relation to cyber security.

• The United States, in particular, has on several occasions accused Chinese hackers of attempting to breach their power systems.

• China fears that these accusations may have fostered an environment of mistrust which may lead to retaliatory cyber-attacks on their own power infrastructure.

• China continues to experience rapid urbanization and expanding its smart grid, which directly results in increased exposure to cyber attacks.

And let us not forget the Stuxnet computer worm discovered in 2010. The Stuxnet example is arguably the most dramatic demonstration of the vulnerability of modern power grids to malicious cyber-attack.

According to Global Data, “the worm focused on 5 Iran-based organizations and was believed by many to be a deliberate attempt to disrupt the Iranian nuclear power program.”

Serious threats to securing the grid

A Pike Research 4Q 2011 report, entitled Utility Cyber Security: Trends to watch in 2012 and Beyond, identified the following threats to power grids everywhere:  

• One size doesn’t fit all: cyber security investments will be shaped by regional deployments. As an example, consider smart meters saturation in the US and, comparatively, versus EV adoption rates in the Middle East.

• Industrial control systems, not smart meters, will be the primary cyber security focus. Here, they refer to control systems such as transmission upgrades, substation automation, and distribution automation.

• Assume nothing: “security by obscurity” will no longer be acceptable. Using the example of the Stuxnet worm, assume attacks are a probability and not merely a possibility.

• Chaos ahead?: The lack of security standards will hinder action. No industry standards exist.

• Aging infrastructure: older devices will continue to pose challenges. While modern advanced metering infrastructure (AMI) devises have built in cyber security, some supervisory control and data acquisition (SCADA) systems are older and have no built-in security features.

• System implementation will be more important than component security. Cyber security works to protect a whole entity and attackers look for holes.

Smart meter hacking tool released

Termineter, an open-source tool designed to assess the security of smart meters, has been released


SecureState, an information security firm, on Thursday announced the public release of Termineter, an open-source framework written in Python that allows users to assess the security of Smart Meter utility meters over the optical interface. The company is calling it the first framework designed to give authorized individuals access to manipulate and test the security of smart meters.


You can check it out, as well as download it for yourself, over on Google Code. For the uninitiated, smart meters measure the amount of power and water being used in a home or business as well as gather other data. They send periodic reports back to the utility company for analysis.


Smart meters have been criticized by privacy advocates for tracking consumer actions while security researchers have warned about their potential for being exploited.


Here's the tool's official description:

Termineter is a framework written in python to provide a platform for the security testing of smart meters. It implements the C12.18 and C12.19 protocols for communication. Currently supported are Meters using C12.19 with 7-bit character sets. Termineter communicates with Smart Meters via a connection using an ANSI type-2 optical probe with a serial interface.

SecureState says it is releasing Termineter publicly to promote security awareness for Smart Meters and to improve security overall by providing a tool that brings basic testing capabilities to the community and meter manufactures. 


While individual users will require general knowledge of the meter's internal workings in order to use Termineter proficiently, power companies can use the framework to identify and validate internal flaws that leave them susceptible to fraud and significant vulnerabilities.


As with any release of a hacking tool, there are two sides of the same coin. On the one hand, Termineter should help companies find vulnerabilities and test their products. On the other hand, Termineter can also be used maliciously to modify consumer data, inflicting financial loss on one or multiple victims.

ENISA Report: Ten Smart Grid Security Recommendations

Smart Grids need protection from cyber attacks


The EU Agency ENISA has launched a new report on how to make smart grids and their roll out a success, in particular by making sure that IT security aspects are properly taken into account from the beginning.


A smart grid is an upgraded electricity network with two-way digital communication between supplier and consumer. The adoption of smart grids will dramatically change the distribution and control of energy for solar panels, small wind turbines, electric vehicles, etc.


By making energy distribution more efficient, smart grids give clear benefits to users, electricity suppliers, grid operators, and society as a whole. At the same time, their dependency on computer networks and Internet makes our society more vulnerable to cyber-attacks, with potentially devastating results. 


Therefore, to prepare for a successful roll-out of smart grids, this study proposes 10 security recommendations for the public and private sector out of almost 100 findings.


Some key report recommendations include:

• The European Commission (EC) and the competent authorities of the Member States (MS) need to provide a clear regulatory and policy framework on smart grid cyber security at the national and EU level, as this presently is missing.
• The EC, in collaboration with ENISA, the MS, and the private sector, should develop a minimum set of security measures based on existing standards and guidelines.
• Both the EC and the MS authorities should promote security certification schemes for the entire value chain of smart grids components, including organisational security.
• The MS authorities should involve Computer Emergency Response Teams to play an advisory role in power grids’ cyber security.

Cyber security aspects of smart grids Smart grids give rise to new information security challenges for electricity networks. Information systems’ vulnerabilities may be exploited for financial or political motivation in cyber-attacks to shut off power plants.


This study makes 10 recommendations to the public and private sector involved in the definition and implementation of smart grids. These recommendations intend to provide useful and practical advice aimed at improving current initiatives, enhancing co-operation, raising awareness, developing new measures and good practices, and reducing barriers to information sharing.


The top 10 recommendations, aimed at various European Union and member-state organizations, are: 

1. Improve the regulatory and policy framework on smart-grid cybersecurity at both the national and EU level.
2. Create a public-private partnership to coordinate cybersecurity initiatives. 
3. Promote initiatives to raise awareness of cybersecurity threats and conduct training.
4. Foster knowledge-sharing initiatives.
5. Develop minimum security measures based on existing standards and guidelines.
6. Develop security certifications for components, products and organizational security.
7. Create test beds and security assessments.
8. Develop and refine joint strategies to counter large-scale cyberattacks on power grids.
9. Involve computer security incident response teams in an advisory role.
10. Promote academic and R&D research into smart-grid cybersecurity, including through existing research programs.

The full ENISA smart grid report can be downloaded here.

Whitepaper: HMI/SCADA System Security Gaps

Understanding and Minimizing Your HMI/SCADA System Security Gaps


Being at the heart of an operation’s data visualization, control and reporting for operational improvements, HMI/SCADA systems have received a great deal of attention, especially due to various cyber threats and other media-fueled vulnerabilities.


The focus on HMI/SCADA security has grown exponentially in the last decade, and as a result, users of HMI/SCADA systems across the globe are increasingly taking steps to protect this key element of their operations. The HMI/SCADA market has been evolving over the last 20 years with functionality, scalability and interoperability at the forefront.


For example, HMI/SCADA software has evolved from being a programming package that enables quick development of an application to visualize data within a programmable logic controller (PLC) to being a development suite of products that delivers powerful 3-D visualizations, intelligent control capabilities, data recording functions, and networkability. With HMI/SCADA systems advancing technologically and implementations becoming increasingly complex, some industry standards have emerged with the goal of improving security. However, part of the challenge is knowing where to start in securing the entire system.


The purpose of this paper is to explain where vulnerabilities within a HMI/SCADA system may lie, describe how the inherent security of system designs minimize some risks, outline some proactive steps businesses can take, and highlight several software capabilities that companies can leverage to further enhance their security.


Refer here to download this website. (Registration Required)

Why Cyber Security is Critical for Smart Grid?

Critical Issues for the security requirements of Smart Grid!


Power system operations pose many security challenges that are different from most other industries. For instance, most security measures were developed to counter hackers on the Internet.


The Internet environment is vastly different from the power system operations environment. Therefore, in the security industry there is typically a lack of understanding of the security requirements and the potential impact of security measures on the communication requirements of power system operations. 


In particular, the security services and technologies have been developed primarily for industries that do not have many of the strict performance and reliability requirements that are needed by power system operations. 


Security services for instance:

• Operation of the power system must continue 24×7 with high availability (e.g. 99.99% for SCADA and higher for protective relaying) regardless of any compromise in security or the implementation of security measures which hinder normal or emergency power system operations
• Power system operations must be able to continue during any security attack or compromise (as much as possible). Power system operations must recover quickly after a security attack or compromised information system
• The complex and many-fold interfaces and interactions across this largest machine of the world – the power system – makes security particularly difficult since it is not easy to separate the automation and control systems into distinct “security domains”. And yet end-to-end security is critical
• There is not a one-size-fits-all set of security practices for any particular system or for any particular power system environment
• Testing of security measures cannot be allowed to impact power system operations
• Balance is needed between security measures and power system operational requirements. Absolute security may be achievable, but is undesirable because of the loss of functionality that would be necessary to achieve this near perfect state
• Balance is also needed between risk and the cost of implementing the security measures.

In the Smart Grid, there are two key purposes for cyber security: 


Power system reliability


Keep electricity flowing to customers, businesses, and industry. For decades, the power system industry has been developing extensive and sophisticated systems and equipment to avoid or shorten power system outages. In fact, power system operations have been termed the largest and most complex machine in the world.


Although there are definitely new areas of cyber security concerns for power system reliability as technology opens new opportunities and challenges, nonetheless, the existing energy management systems and equipment, possibly enhanced and expanded, should remain as key cyber security solutions. 


Confidentiality and privacy of customers


As the Smart Grid reaches into homes and businesses, and as customers increasingly participate in managing their energy, confidentiality and privacy of their information has increasingly become a concern. 


How can security requirements for smart grid interfaces be determined?


There is no single set of cyber security requirements and solutions that fits each of the Smart Grid interfaces. Cyber security solutions must ultimately be implementation-specific, driven by the configurations, the actual applications, and th e varying requirements for security of all of the functions in the system.


That said, “typical” security requirements can be developed for different types of interfaces which can then be used as checklists or guidelines for actual implementations. Typically, security requirements address the integrity, confidentiality, and availability of data.


However, in the Smart Grid, the complexity of stakeholders, systems, devices, networks, and environments precludes simple or one-size-fits-all security solutions. Therefore, additional criteria must be used in determining the cyber security requirements before selecting the cyber security measures.


These additional criteria must take into account the characteristics of the interface, including the constraints and issu es posed by device and network technologies, the existence of legacy systems, varying organizational structures, regulatory and legal policies, and cost criteria.


Once these interface characteristics are applied, then cyber security requirements can be applied that are both specific enough to be applicable to the interfaces, while general enough to permit the implementation of different cyber security solutions that meet the cyber security requirements or embrace new security technologies as they are developed.


This cyber security information can then be used in subsequent steps to select cyber security controls for the Smart Grid.

Insufficient security controls for smart meters

Smart meters are not secure enough against false data injection attacks


False data injection attacks exploit the configuration of power grids by introducing arbitrary errors into state variables while bypassing existing techniques for bad measurement detection; experts say current generation of smart meters are not secure enough against false data injection attacks nCircle the other day announced the results of a survey of 104 energy security professionals.


The survey was sponsored by nCircle and EnergySec, a DOE-funded public-private partnership that works to enhance the cyber security of the electric infrastructure. The online survey was conducted between 12 March and 31 March 2012. 


When asked, “Do smart meter installations have sufficient security controls to protect against false data injection?” 61 percent said “no.” Power grids connect electricity producers to consumers through interconnected transmission and distribution networks. In these networks, system monitoring is necessary to ensure reliable power grid operation. 


The analysis of smart meter measurements and power system models that estimate the state of the power grid are a routine part of system monitoring. An nCircle release notes that false data injection attacks exploit the configuration of power grids by introducing arbitrary errors into state variables while bypassing existing techniques for bad measurement detection. Smart meters vary widely in capability and many older meters were not designed to adequately protect against false data injection. It doesn’t help that some communication protocols used by the smart meter infrastructure don’t offer much protection against false data injection either. 


Together, these facts highlight a much larger potential problem with data integrity across the smart grid infrastructure. Because our nation relies on the smart grid to deliver robust and reliable power, we need to make sure that all systems that process usage data, especially those that make autonomous, self-correcting, self-healing decisions, assure data integrity.


Elizabeth Ireland, vice president of marketing for nCircle, noted, “A false data injection attack is an example of technology advancing faster than security controls."


This is a problem that has been endemic in the evolution of security and it’s a key reason for the significant cyber security risks we face across many facets of critical infrastructure. Installing technology without sufficient security controls presents serious risks to our power infrastructure and to every power user.

Smart meter hacks likely to spread

Miscreants are reprogramming meters to report less power usage, for a fee


A series of hacks perpetrated against so-called "smart meter" installations over the past several years may have cost a single electric company hundreds of millions of dollars annually, the FBI said in a cyber intelligence bulletin obtained by KrebsOnSecurity. 


The US law enforcement agency said this was the first known report of criminals compromising the hi-tech meters, and that it expected this type of fraud to spread across the country as more utilities deploy smart grid technology. Smart meters are intended to improve efficiency, reliability, and allow the electric utility to charge different rates for electricity at different times of day. 


Smart grid technology also holds the promise of improving a utility's ability to remotely read meters to determine electric usage. Advertisement: Story continues below But it appears that some of these meters are smarter than others in their ability to deter hackers and block unauthorised modifications. 


The FBI warns that insiders and individuals with only a moderate level of computer knowledge are likely able to compromise meters with low-cost tools and software readily available on the internet. Citing confidential sources, the FBI said it believed former employees of the meter manufacturer and employees of the utility were altering the meters in exchange for cash and training others to do so. "These individuals are charging $300 to $1000 to reprogram residential meters, and about $3000 to reprogram commercial meters," the alert states. 


The FBI believes that miscreants hacked into the smart meters using an optical converter device - such as an infrared light - connected to a laptop that allows the smart meter to communicate with the computer. After making that connection, the thieves changed the settings for recording power consumption using software that can be downloaded from the internet. 

"The optical converter used in this scheme can be obtained on the internet for about $400," the alert reads. "The optical port on each meter is intended to allow technicians to diagnose problems in the field. This method does not require removal, alteration, or disassembly of the meter, and leaves the meter physically intact." 

The bureau also said another method of attacking the meters involved placing a strong magnet on the devices, which caused it to stop measuring usage, while still providing electricity to the customer. 

"This method is being used by some customers to disable the meter at night when air-conditioning units are operational. The magnets are removed during working hours when the customer is not home, and the meter might be inspected by a technician from the power company." 

"Each method causes the smart meter to report less than the actual amount of electricity used. The altered meter typically reduces a customer's bill by 50 per cent to 75 per cent. Because the meter continues to report electricity usage, it appears be operating normally. Since the meter is read remotely, detection of the fraud is very difficult. A spot check of meters conducted by the utility found that approximately 10 per cent of meters had been altered." 

"The FBI assesses with medium confidence that as Smart Grid use continues to spread throughout the country, this type of fraud will also spread because of the ease of intrusion and the economic benefit to both the hacker and the electric customer," the agency said in its bulletin.

The hacks described by the FBI do not work remotely, and require miscreants to have physical access to the devices. They succeed because many smart meter devices deployed today do little to obfuscate the credentials needed to change their settings, according to Tom Liston and Don Weber, analysts with InGuardians, a security consultancy based in Washington, DC. 


Liston and Weber have developed a prototype of a tool and software program that lets anyone access the memory of a vulnerable smart meter device and intercept the credentials used to administer it. Weber said the toolkit relied in part on a device called an optical probe, which can be made for about $US150 in parts, or purchased off the internet for roughly $US300. 

"This is a well-known and common issue, one that we've warning people about for three years now, where some of these smart meter devices implement unencrypted memory," Weber said. 

"If you know where and how to look for it, you can gather the security code from the device, because it passes them unencrypted from one component of the device to another."

The two researchers were slated to demo their smart meter hacking tools at the Shmoocon security conference. Utilities have to be more enterprise security-aware. With these incidents at organisations of any size or age, the first reaction is to cover it up. The thinking is if we keep this kind of thing secret, nobody will find it or exploit it. But for those of us who are inside the industry, and have been at this long enough, the only way we're going to fix a security problem is to expose it.


Australia has approximately 1.5 million smart meters installed, according to telecommunications analyst Paul Budde, founder of Smart Grid Australia, an industry alliance working on Australia's Smart Grid-Smart City electricity network upgrade project. Approximately 1 million are deployed in Victoria, the state chosen as the test site for the country, he said. 


Budde said the hacking of smart meters was among the issues electricity companies would work to prevent. 

"Obviously as soon as you start adding communications to the [electricity] network there are possibilities of others getting access to it as well. It applies to everything that has to do with communications. Smart grids and smart meters are also affected by that."

But [the risk] is very well understood now; companies involved are making sure there's security in place to make it less [likely] to happen." Budde said the US was one of the first countries to rollout smart meters and learnings from the North American experience were shared among all countries working on smart grids. "Other electricity companies can learn from that," Budde said.


Refer here to read further details.

ZigBee Architecture Basics

Zigbee Networking Architecture

This training video is intended to explain the ZigBee mesh networking architecture at a high level. It discusses basic topics such as:

What is mesh networking?

Overview of ZigBee Home Automation and Smart Energy Profiles

Security is a key concern for Zigbee

Ember training curriculum video about Home Automation (HA) and Smart Energy (SE) application profiles.

Explains the basic intentions of these profiles and covers (for each profile):

Smart grid cybersecurity strategy – industry proposals

Smart grid security challenge highlighted in report

Government plans to create a smart grid for energy networks will require a coordinated focus on cybersecurity as communication networks play a key role, according to a report from The Energy Networks Association (ENA).

The ENA published the report for the Department of Energy and Climate Change (DECC), which is responsible for the energy smart grid. The findings of the research, which was carried out by consultancy KEMA, revealed that the government and network providers need a more "coherent and joined-up approach" to secure the smart grid.

Security a top priority in smart grid development

The report outlines how the smart grid will affect networks and describes how cybersecurity should be an important consideration when developing the smart grid's architecture, technology and management systems.

For example, the report says: "ICT security, along with computing system reliability, safety and maintainability, are critical attributes for smart grid implementation and operation, and need to be considered as part of overall risk management for this critical national infrastructure."

Coordinating the smart grid project

Last week, the IT sector, under the wing of Intellect, got involved in the smart grid debate with the launch of cross-industry organisation SmartGrid GB. This group brings together IT companies, environmental organisations, government, regulators and consumer groups. It will coordinate the multiple stakeholders and advise the government.

Robert McNamara, energy and environment programme manager at Intellect, is SmartGrid GB's manager. He welcomed the report: "A lot of data will be transported on the smart grid and through smart metering. It is absolutely imperative that security is the number one priority."

IT suppliers invited to bid for smart grid contracts

The DECC has already put a notice out to IT suppliers informing them to be ready to bid for work. A new company will be set up to manage the data that smart meters send and receive. The central data and communications company (DCC), as it is known, will require services from IT and communication service providers.

The smart grid project involves using smart meters in the home to help consumers control their energy usage. But a survey, which was commissioned by smart meter technology provider T-Systems and carried out by the Economist Intelligence unit, revealed antipathy towards the government's plans to roll out smart meters to 30 million homes by 2020. Consumers are more concerned about the financial costs of using smart meters than the environmental costs of inefficient energy use.

Security analysis of Dutch smart metering systems

Smart metering must offer a security level as high as for money transfers - Dutch minister of Economic Affairs

Smart meters enable utility companies to automatically readout metering data and to give consumers insight in their energy usage, which should lead to a reduction of energy usage. To regulate smart meter functionality the Dutch government commissioned the NEN to create a Dutch standard for smart meters which resulted in the NTA-8130 specification.

Currently the Dutch grid operators are experimenting with smart meters in various pilot projects. In this project we have analyzed the current smart meter implementations and the NTA using an abstract model based on the the CIA-triad (Confidentiality, Integrity and Availability). It is important that no information can be attained by unauthorized parties, that smart meters cannot be tampered with and that suppliers get correct metering data.

It was concluded that the NTA is not specific enough about the security requirements of smart meters, which leaves this open for interpretation by manufacturers and grid operators. Suppliers do not take the privacy aspect of the consumer data seriously. Customers can only get their usage information through poorly secured websites. The communication channel for local meter configuration is not secured sufficiently: consumers might even be able to reconfigure their own meters.

Also, the communication channels that are used between the smart meter and gas or water meter are often not sufficiently protected against data manipulation. It is important that communication at all stages, starting from the configuration of the meter to the back-end systems and websites, is encrypted using proven technologies and protected by proper authentication mechanisms.

It is important that communication at all stages, starting from the configuration of the meter to the back-end systems and websites, is encrypted using proven technologies and protected by proper authentication mechanisms.

Refer here to download the full report.