Exposing the security flaws in the smart grid

August 30, 2012

Smart grid technology has come under the cybersecurity microscope, after the Department of Homeland Security was informed of a programming flaw that could see power generation in the hands of hackers.

According the the BBC, hackers who can bypass web security protocols installed by RuggedCom could potentially get control of global energy infrastructures. By gaining access through a backdoor in the data traffic system, Justin Clarke, a security expert, believes that a malicious cyber attack could be mounted upon power turbines, high-voltage grid gear and industrial plants.

Speaking at a recent security conference in Los Angeles, Clarke claimed that gaining access to the data traffic stream that flows between an end user and a router was "merely a matter of extracting the software key used to encrypt traffic."

"If you can get to the inside, there is almost no authentication, there are almost no checks and balances to stop you," Clarke said.

Exposing vulnerabilities
RuggedCom was bought by Siemens last year for $381 million, and this is the second time that Clarke has found a way to access the supposedly secure demand response information that passes from electricity producers and consumers. After he pointed out how vulnerable the company was to a possible attack, the firm released an update to its data protection software.

However, the DHS has had to deal with the threat of a cyberattack on critical infrastructure before. Following a potential situation that occurred in Illinois in 2011, the Industrial Control Systems Computer Emergency Response Team (ICS-CERT) constantly monitors smart grids for suspicious activity and, according to Greentech Media, has identified 90 vulnerabilities that could be classed as threats, as opposed to the 60 that were discovered last year.

Following Clarke's presentation in Los Angeles, the DHS issued the following statement:

"ICS-CERT is aware of a public report of hard-coded RSA SSL private key within RuggedCom’s Rugged Operating System (ROS). The vulnerability with proof-of-concept (PoC) exploit code was publicly presented by security researcher Justin W. Clarke of Cylance Inc … ICS-CERT is issuing this alert to provide early notice of the report and identify baseline mitigations for reducing risk to these and other cybersecurity attacks."

Securing the smart grid
The problem that the utility companies face in embracing smart grid systems is that the data is essential in determining how much energy can or should be released. Traditionally, the electric grid operated as a separate entity, connected through pipes and cables but with energy data transmitted through the cloud, utilities are facing not just the threat of power overloads or blackouts, but the very real possibility that hackers could take control of critical energy systems, especially worrying if the source of energy generation is nuclear.

Industry analysts estimate that utility companies will be spending $237.6 million on smart grid cybersecurity products annually by the end of 2015, compared to $120 million in 2011. In July, the National Security Agency reported that cyberattacks on utilities had increased by 17 percent between 2009 and 2011, although legislation that would have strengthened security protocols was rejected by the U.S. Senate.

It’s all part of the process of bringing utilities up to the cybersecurity required in the new age of smart grid," said Jeff St. John, a blogger for GreenTech Media. "Simply put, yesterday’s grid technology was built with the assumption that it would stand apart, in locked industrial sites and control centers, unavailable to outside tampering. But connecting that legacy technology to today’s IT world via the smart grid opens it up to all sorts of hacks."

-McAfee Cloud Security