Arguably the biggest challenge of the digital age is the need for security to protect against the less scrupulous members of society who are concerned either with theft or the sowing of chaos and destruction.
With the power grid considered as ‘critical infrastructure’ and attacks such as that on Ukraine’s grid in 2016 with the recently identified Crashoverride malware highlighting the very real threat, security is a key issue that must be taken very seriously.
And as new findings make clear, it concerns not only the deployment of new smart grid devices but the complete grid including the legacy devices.
The particular device vulnerability came to light purely by chance when New York University researchers acquired some power grid devices on ebay to incorporate in a testbed investigating security and privacy issues for smart cities.
One of these, a model from GE’s Multilin protective relay range, was found to exhibit two major vulnerabilities when its security was tested, Mihalis Maniatakos, Assistant Professor of ECE at NYU Abu Dhabi and a Research Assistant Professor at the NYU Tandon School of Engineering, told Engerati in an exclusive interview.
One of these was a weak encryption scheme. Rather than a random initialisation vector (IV), a fixed IV was used when encrypting the password, and rather than non linear transformation, linear transformation was used in the encryption algorithm.
The second was that the encrypted password could be accessed without proper authentication, by interrogating the Modbus registers.
“What we have here is a home brew encryption scheme that could have allowed a potential attacker to take control of the device,” says Maniatakos.
Once that is done, then the set points, and the password itself, could be changed. For example, the over current protection setting could be changed so that the device always trips or never trips – with concomitant impacts on power supply either way.
Perhaps even more significant is that a change of password would lock out the operator from the device, not only remotely but also physically.
“Probably the device would need to be decommissioned before it could be restored,” says Maniatakos.
But it points to a wider industry problem. “The fact we were able to buy the device on ebay is troubling in itself,” Maniatakos points out. “We found over 3,000 devices on ebay from the top five manufacturers alone. They are generally very cheap, much cheaper than new, and with many dating from the 1990s, some might be expected to have security weaknesses.”
He adds that there is no reason such devices should be appearing on ebay. In the case of the Multilin relay that was purchased, the seller, an individual, indicated that it had been acquired for a project that was not implemented.
His gut feel, he says, is that they are taken, perhaps by utility employees looking to make some extra money, rather than coming direct from either the utility or the vendor.
With these findings to hand, the researchers turned to investigate what other information is publicly available on the broader internet that may indicate vulnerabilities in the grid.
And there is a lot, ranging from power lines and generation facilities visible on imagery such as Google maps to GPS coordinates and other sectoral data in power system databases and regulatory papers, new device details in utility and vendor news releases, and for example specifics such as current generation loads and next day load forecasting.
“Both topological and electrical data are necessary for a potential attack and there is certainly sufficient information to start building a picture of the most critical points,” says Maniatakos.
While the availability of such data isn’t a problem in itself, he adds, it does point to the need for those publishing such information to understand how much information they should publish and in what form.
As an example, he says that load data could be presented using secure computation, which “would achieve the same end goal without revealing the actual numbers.”
From these two pieces of work, Maniatakos offers two key takeaways.
First, device developers should not use “home brew” security. They should use security protocols that are well established and that have been vetted by security experts.
Second, power sector players should reveal only as much information as is required to meet their particular objectives.
“What this work has revealed is the need for constant awareness of the security of the grid,” Maniatakos says. “And while we did find a vulnerability, the easiest way to access a device is on the internet and we did a search and are not aware of any such devices connected to the public internet.”