 Alright, welcome to Hacking the Smart Grid. My name is Tony Flick. I'm a principal with firm associates. We're an information security professional services company. We are giving away Get Firm T-shirts, so if you're interested in getting one, come see me after the talk, or come see the other guy wearing the I Am Firm T-shirt. I've got about six years in the information assurance field. I've always been interested in security, so there's definitely a good time to be doing some research on the smart grid. I've been to many DEF CONs. If you guys have ever been to the EMS buffet, I highly recommend it, but I mean, it's, yeah, I'm hurting today because of it. Alright, so what are we going to go over today? We're going to kind of go over what is the smart grid, what makes up the smart grid, known problems that we're trying to deal with, security initiatives that are going to try to take care of the problems that have been identified, as well as a timeline. So one of the main topics that has been discussed with securing this smart grid has been integrating security from the beginning, and I'm going to kind of discuss one main component of integrating security from the beginning that's absolutely required in order to do that. On top of that, I'm going to talk about history repeating itself. So in my research, I've kind of noticed a few things that have popped up that we've made these mistakes in the past with previous technology initiatives, and it looks like we're going to be doing the same things over and over again. And then after that, I'll have a few quick recommendations about moving forward. Alright, so what exactly is this smart grid? So if you look at the current infrastructure, the current electrical infrastructure is what's been kind of coined a analog system. So you get your electricity, every once in a while, a meter guy will come out, he'll hop fences, try to dodge your dog, and come out and read your meter to try to give you an accurate reading, try to give you an accurate bill. But we are trying to move on, trying to move beyond that, try to upgrade this infrastructure. And there's kind of an intermediate step in between the current infrastructure and what we're moving towards. And that kind of introduced one-way communications. So basically the utility companies could read your meter remotely. And basically this is to kind of avoid having to send people out there to your homes and businesses in order to read that bill. Or sorry, create that bill. So what are we moving towards? So we're moving towards this more futuristic infrastructure where everything's connected, right? We live in a connected world. So why not actually connect the smart grid? Or sorry, connect the electrical infrastructure. So what makes up this smart grid? So let's look at devices. So what they're going to be rolling out are smart meters for the first place. On top of that, we're going to be throwing out interfaces. So this could be wall monitors that they put into your houses. And this could be something along the lines to monitor your electricity usage and quasi-real time. So when I say quasi-real time, it's basically like once an hour or so, that reading will actually update. On top of that, they're going to have remote sensing devices so that they can remotely read your meter, as well as power system automation and home appliances. So take, for example, your refrigerators, your air conditioners, your dishwashers. So those are all actually going to be connected in this new infrastructure. So what are the problems that have been identified and discussed? So the first problem is going to be physical security. So we're installing smart meters in people's homes, people's businesses. So in order to actually secure that, basically what they want to do is try to prevent people from tampering with these devices. And that's obviously going to create a huge problem because you're putting these things in people's homes. So people are going to instantly have physical access to these devices. Now on top of that, we're going to have bidirectional communication. So this is going to introduce a ton of new attack factors. And one of the things I'm going to be focusing on later in the talk is that even though this is a new technology infrastructure, a new initiative, it's going to be vulnerable to the same types of problems as every other network and application. So on top of those interfaces that could be deployed in your homes and businesses, utility companies as well as several partners are going to be setting up websites. And these websites are going to allow you to go out there and access your energy usage. On top of that, there's going to be some capability to disable devices in your houses, to enable electricity to these devices. And so that's going to create some privacy concerns, basically some very big security concerns, which we'll get to. So I've already started going into the implications. So we've got privacy concerns. So one of the first things you can talk about is what if people can read how much energy I'm using? Now for most people, that's probably not going to be that big of a deal. That's not exactly one of the things that I'm concerned with. Maybe if you're doing something, say for example, you have a grow operation. It's not what I would do, but it's not like I have one. But if you do, maybe your neighbor notices you're using three times as much electricity as they are. Now that might be because I've got 10 servers running in my house, or maybe it's because you're growing something. So that might be a way for someone to actually figure out maybe you're not doing something that you're supposed to. On top of that, there is the ability, they're trying to build in, at least in the design specifications, to actually be able to remotely disconnect you. So say for example, you lost your job and you're late on a few payments. Well, they should be able to remotely disconnect you. And that might be a little bit embarrassing. Not something that you're going to want everyone to know about. On top of that, let's look at this from the electricity company's perspective. Electricity theft. Obviously they're providing you with a product slash service. They want their money for it. And so one of the biggest concerns they're going to have is making sure that people do not steal electricity from them. And so kind of moving on to the security initiatives. So how are they actually going to solve this? So Congress enacted in 2007 what is called the Energy, Independence, and Security Act of 2007. And basically what this did was it tasked the Department of Energy with monitoring the smart grid rollout. On top of that, it tasked the National Institutes for Standards and Technology for creating this interoperability framework. And basically this framework consists of roughly 10 documents. And a large part of this is concerned with actually making sure that different types of devices can actually communicate with each other. But more importantly for this conversation, I'm going to discuss a couple of the security documents that are included within this framework. So the first one that I'm going to talk about is the Advanced Metering Infrastructure System Security Requirements document. And I know it's kind of a long name, but basically what this describes are the security controls that are going to go into the smart meters that they're rolling out. Now on top of that, we're going to talk about the, just throw an acronym out there out you, NERC CIP documents 002 through 009. And for those of you who don't know, NERC stands for the North American Electric Reliability Corporation. And basically this document contains security controls that are related to rolling out this marker. So one of the main concerns that I have with this after reading through it is that there's a lot of very high level stuff. And I have no problem with actually including high level security policies. But the problem is one of the major criticisms that we have seen in the past is that a lot of these documents can be very vague. And this is what I've kind of seen in these new documents. So for example, Confidentiality, Integrity and Availability. It's a very common CIA triad. Nothing wrong with this, right? We should absolutely have that in our technology infrastructure. But just calling for it doesn't actually mean that you're going to get it. And what I'm going to kind of talk about later on, provide some details, of course, is how we're calling for it, but we're not actually providing the details on how to do this. On top of that, what I'm going to talk about is, again, integrating security from the beginning. So this is basically, I just copied and pasted some of the controls that are in this AMI doc, the Advanced Metering Infrastructure document. Just kind of give you some examples. So I kind of highlighted it in red and I hope you can read it. But basically what we're doing is we're leaving it up to the organization to define this actual security, right? So just kind of read the first line. The security function shall enforce a limit of organization-defined number, consecutive and valid access attempts. Now this leads it up to the organizations to actually implement, right? Now it could be that the organization has a security department, a very good security department, and they actually define this. But what happens when this decision is not left up to the security department? What happens when it's left up to the business operations? And they may say, well, you know what, this is going to cause too many headaches. Let's actually define that number to be a lot larger than what's actually recommended by this industry. So basically what I want to do now is kind of take you through the timeline. So we had this Energy, Independence, and Security Act of 2007, which obviously came out in 2007. Then we had the NIST Marker Interoperability Framework. And the initial standards, the initial framework came out in May of this year. On top of that we had the Advanced Metering Infrastructure or Systems Security requirements. It came out between 2007 and 2008, as well as like the NERC-CIP documents. They were initially released in 2006 and then were later revised this year. On top of that there have been a number of initiatives that they're not finalized, they're still being discussed, so I'm not really going to talk about them, but just know that there are a number of things in the work. So let's talk about integrating security from the beginning. So on the last slide it kind of showed you the timeline of these security initiatives. But the problem is we've been rolling out smart grids since 2002-2003. So just to give an example, the city of Austin, their energy companies actually started designing their smart grid in 2002 and then actually started rolling out devices in 2003. So I kind of asked the question, how can you actually include these security initiatives when they haven't actually been created yet? History repeating itself. So I'm going to kind of use the payment card industry as an example. One of the more fun things about speaking is that I've had a chance to actually talk to a couple members of the press regarding my presentation. I just want to kind of clarify that, and one of the articles I was quoted as saying that NIST created the PCI DSS. It's obviously not true, so I just kind of want to clarify that right now. But to kind of move on, one of the major criticisms that I've seen from both customers as well as talking to various people in the industry is this whole idea of PCI being very vague as well as the industry self-policing themselves. And what I'm talking about this is, one example is that depending on the number of transactions that you do as a merchant or so, you'll need to fill out what's called a self-assessment questionnaire. And basically the questionnaire is, do I comply with this security control? Yes, yes I do. Do I comply with this security control? Yes I do. Then I kind of hand it over and say yes I am compliant. And I'm going to kind of draw that, draw a comparison between that as well as what's kind of going on in the smart grid industry. So we have these organizations, NERC and FERC, kind of already gone over what NERC is. Just to kind of give you a background though, NERC is not actually a government agency. However, FERC, which is the Federal Energy Regulatory Commission, they're kind of very related, but there's obviously that big difference between one is a government body, one is not. And basically what they've reported on, now this is NERC and FERC, what they actually reported on is that utilities are actually under-reporting their critical assets. So they're basically the, these utility companies are actually classifying what is actually a critical asset, what is actually critical to them, right? And what they found and what they've reported to the House Committee on Homeland Security is that utility companies are actually under-reporting what is actually a critical asset. So how is this going to become a problem? Well, let's take a look. So NERC and FERC kind of discussed what's been commonly referred to as the Aurora vulnerability. You guys might remember this from a few years ago. There was actually a video out about how some pen testers actually caused a power plant system to, quote unquote, cough and basically causing problems. And what was reported to this House Committee is that several years after a remediation plan had been delivered to these companies, they actually hadn't remediated it. So given a couple years after this remediation plan had been built and delivered, they still hadn't remediated this. So let's kind of go on to the more interesting stuff. So basically before this talk, I did some research. And what I did was actually looked at some of these websites. So I kind of mentioned it before about how these utility companies are creating these websites so that you as a user can actually go there and monitor your usage, as well as do some other more advanced functionality. And I looked at about eight utility company websites, and you guys can read up there, but basically what I found were some very basic and very simple vulnerabilities. I mean, it's 2009, and a utility company is still doing authentication over clear text. And this was actually one of the more humorous sides of this research is that when I went to the website, it looked like your fairly standard website, so I clicked on the login link. And I got directed to this temporary page, where it said, we apologize for any inconvenience as we migrate to our more secure server. And it said, please wait about five seconds, and after that time period, you'll be redirected to our more secure server. So out of curiosity, I waited the five seconds, and granted, I went to the new secure server. And the new secure server was basically secure.so-and-so.com. But the problem is, it was doing authentication over clear text. So what was actually more secure about that server? It's basically just the name, right? On top of that, cross-site scripting. So on top of just authentication, we have more advanced vulnerabilities. And even better is we have information linkage. Now, with this website, they used a very, very advanced method to actually try to hide this information. So I went to the website, and just, again, it looked like your pretty standard website. Then I used that advanced hacking technique of scrolling down. And once you actually scroll down, you actually saw every server statistic that they had. So we're talking kernel version, web server version. How much RAM was actually in the system? Basically, every type of debugging information you could want was just within scrolling reach. And so one of the things that I am actually happy to report on is that this morning, when I went back to check to see if these vulnerabilities still existed, they had actually removed the debugging information. So I was very happy about that. But what else? So two of the major partners within this utility industry are going to be Google and Microsoft, as usual. So Google has their PowerMeter software. And what this does, it actually allows you to look at your energy usage, right? And what they're doing is they're integrating this with iGoogle. And on top of that, Microsoft has their security, sorry, their service called Home. And basically what this is is, excuse me, use your live credentials as well as your Google credentials to actually log into this. So Google has plans to actually integrate PowerMeter into your iGoogle. So if you've been attending talks over the past several years, you'll notice that every once in a while, vulnerabilities tend to appear in your Google services and your Microsoft services. So basically, any types of vulnerabilities that appear in those are going to carry over into this new infrastructure. All right, so what should we do about this? So kind of when I went over the timeline, I kind of discussed the fact that we really missed the opportunity at the beginning. Now, we can still do some good, right? So why not allow security to mature? On top of that, fix the vulnerabilities. So I mean, we've known about these web application vulnerabilities. Clear text authentication is not a new vulnerability. I didn't create it. So just, you know, if you work for a power company, review your website. Do your security assessments. And when somebody actually tells you, gives you a good recommendation, you should probably look at actually implementing that. All right, now let's talk about innovation versus security slash, say, renovation, but I should actually say regulation. Food kind of boggles the mind a little bit. But basically, what I'm talking about here is that there's going to be the counterargument saying if you have too much security, too much regulation, then you're going to stifle innovation. But of course, you know, security can't get in the way of innovation. It just can't. And one of the problems is if you go back to that CIA triad, what's one of the members of the CIA triad? It's availability. And unless you have the proper level of security, this new technological infrastructure is not going to be available. You know, you need to have those security, the security best practices built in, or your electricity, your monitoring usage. It's not going to be available. And fix the low-hanging fruit. So kind of just keep harping on the whole authentication. Don't send usernames and passwords over a clear text protocol. Thanks for coming. Questions? Basically, if you have any questions, I've only got about a minute left, so I'm probably not going to be able to take very many questions. I'll be around. I'll be happy to discuss anything with you.