Home » Inside SafeNet » Low Cost Smart Meter Chips Introduce Security Vulnerabilities to the Smart Grid
Low Cost Smart Meter Chips Introduce Security Vulnerabilities to the Smart Grid
February 3, 2011, 06:47 am EDT
In the recent post, “Ember Needs A Wake-Up Call From The CIA,” the author, Jeffery Carr, exposes the security vulnerabilities of the wireless communication protocol ZigBee that is commonly used in semiconductor chips found in smart meters. The article discusses how the cheapest version of these semiconductor chips actually broadcasts encryption keys in plain text, which, as Carr explains, “is the equivalent of using the word “password” as your password.” While Ember, the provider of ZigBee chips, offers solutions with more security features, Carr expresses fear that utility providers will select the lowest cost solution without fully understanding its security shortcomings.
Without a doubt, there is a real danger when cost and efficiency are the primary criteria when selecting components for a Smart Grid infrastructure. For this reason, SafeNet feels that security must be of equal, if not greater, consideration as utility providers build their Smart Grid deployments. Any weak link in the security of the Smart Grid could lead to:
Grid Instability. Large-scale manipulation of smart meters could be used to create instability in the power grid by falsifying the usage readings to be higher or lower than the actual demand. If meters were to simultaneously have a dramatic change in draw, it could cause outages across a large area.
Loss of Consumer and Enterprise Privacy. A benefit of the Smart Grid is improved customer service relationships through more frequent communication between customers and utility companies. This requires an exchange of personal and account data at some level that could be exploited.
Actionable Energy Usage Data Exposure. Electricity use patterns could lead to disclosure of not only how much energy customers use but also when they’re at home, at work, or traveling. In residential deployments, it would be possible to deduce information about personal behaviors and which appliances are present by monitoring energy usage.
Utility Fraud. Criminals can tap into the network to extract data that could contain executable codes, configuration information, or cryptographic keys—all of which could be stolen or modified. These assets could also be used to manipulate billing or usage data.
In the case of the Smart Grid, where the dangers of insufficient security are difficult to predict, the term “worst-case scenario” is a bit of a moving target. Utility providers leverage a complex and decentralized system of applications to manage the delivery of the utility, and without tapping the knowledge of leading information security providers, the Smart Grid will never be fully secure.
Smart Grid security solutions must be able to deploy on a large scale, with minimal effect on application performance. Securing the Smart Grid at the communication layer will require a system to identify connected meters, verify that these meters are configured correctly, and validate them for network access. The recommended solution for this authentication process is a Public Key Infrastructure (PKI) secured by hardware security modules (HSMs). PKIs are ideal for large-scale security deployments that require a high level of security with minimal impact on performance. In a PKI environment, it is essential that private keys and certificates are guarded with a reliable key management solution that protects against ever-evolving data threats. Leading utility infrastructures that leverage HSMs as the hardware-based trust anchor for protecting their PKI have found that this solution eliminates vulnerabilities and provides the following benefits:
Device Attestation. Using device attestation certificates, the HSM confirms the device manufacturer, model, and serial number, and that the device has not been tampered. These certificates, coupled with the appropriate authentication protocol, can be used by the energy service provider to ensure that the device is exactly what it claims to be.
PKI and EKM Key Management. HSMs provide significant cost savings, as HSM functionality (key generation/offline root/online root/key export) is made available with one device.
Trust Anchor. A local policy database is a set of rules that define how the device can use its certificate and the types of certificates it should accept when acting as a relying party. The LPD would be a signed object, signed and stored within the HSM.
Encryption and Decryption of Information. AES 256 & ECC 256/384-bit. ECIES key management and ECDSA signing performance (256-bit curves).
Transaction processing of usage and billing to customers. Provide a trusted path for energy usage for accurate and secure electronic billing.
Compliance. Compliant with PII, NIST, FIPS, and NERC audits.
Remote Management of Meters. Securely update the metering settings, configuration, security credentials, and firmware of all devices in the AMI system.
By deploying advanced securing measures around the smart meter infrastructure, utility companies and energy consumers can have peace-of-mind that their information is not tampered with and the infrastructure is protected.This entry was posted in Authentication, Compliance, Digital Signatures, Energy, Key Management and tagged Cryptography, Energy, Energy Security, Hardware Security Modules, Meter Security, PKI, Smart Grid, Smart Meter, Utility, Utility Security by Trisha Paine. Bookmark the permalink.
SafeNet October 6, 2011, 11:35 am UTC
SafeNet October 4, 2011, 03:03 pm UTC
SafeNet September 13, 2011, 04:40 pm UTC
SafeNet October 6, 2011, 11:35 am UTC