Friday, June 12, 2009

Hacking retail, hacking wholesale

Both my regular readers know that I'm a bit of a Cassandra about the security of the power grid. This goes way, way back to the Pleistocene Age of the Borepatch blog, back around September 2008:
It's pretty surprising how vulnerable the power grid is to someone who wanted to start taking it apart, bit by bit. The grid was designed to be robust against storms and natural disasters, and is very robust indeed. Against single impact events. An attacker who exploited this SCADA vulnerability to take out an important point in the grid would stress the entire grid, as it tried to route around the failure. If the attacker took out another key point, and possibly another, the grid might collapse.
From a security point of view, the real question is not "Is the power grid vulnerable?" Of course it is. The real question is what parts of the grid do the bad guys already own?
A couple of months ago, I revisited this topic in relation to espionage:
4. The Power Grid is now no longer dependable in any meaningful sense. Instapundit makes a throwaway comment that isn't actually a throwaway: Maybe I should rethink buying that generator . . . . Actually, yes, this is precisely what you should do. Nobody can demonstrate that the grid is reliable to stated service levels. The secretary of the Department of Homeland Security should lose sleep over this.
Well, it turns out that I'm not nearly pessimistic enough. This is hacking at a retail level: taking over power control systems one by one. Pretty much only governments have the resources to do this, since it's terrifically expensive in terms of man-hours required.

Wholesale is where it's at for those on a budget. And the Obama administration - no doubt at the behest of the Greens - is paving the way. Billions of dollars in the "stimulus" plan is for purchase and deployment of "smart" power meters, centrally controlled network devices that can let power be remotely turned on or off. The power companies like them because it makes it easy to implement "rolling blackouts" - think California in 1999. The Obama administration and the Greens like them because they now can make you use less power.

The bad guys like them because they can now use automated malware technology to take over the entire power grid at once:

New electricity meters being rolled out to millions of homes and businesses are riddled with security bugs that could bring down the power grid, according to a security researcher who plans to demonstrate several attacks at a security conference next month.


There's just one problem: The newfangled meters needed to make the smart grid work are built on buggy software that's easily hacked, said Mike Davis, a senior security consultant for IOActive.
He has proof, and is going to demonstrate it at the upcoming Black Hat security conference. So just how lame is the security of the system?
The vast majority of them use no encryption and ask for no authentication before carrying out sensitive functions such as running software updates and severing customers from the power grid.
You know when you go to a secure web site - say Amazon? You know how you have the padlock icon? This thing:

That means that even your silly old browser will encrypt the traffic. The power meter? Sorry.

Authentication is a fancy-pants term for "show me who you are". Anyone who's ever used a password or a PIN had done authentication. The power meter? Sorry.

And basic malware techniques make this a mass-production hacking opportunity:
To prove his point, Davis and his IOActive colleagues designed a worm that self-propagates across a large number of one manufacturer's smart meter. Once infected, the device is under the control of the malware developers in much the way infected PCs are under the spell of bot herders. Attackers can then send instructions that cause its software to turn power on or off and reveal power usage or sensitive system configuration settings.
So .... Any Tom, Dick, or Harry who can get on the power network can send a command to any power meter to shut it down. The power meter will helpfully comply, no questions asked. The only thing that would stop this is to make sure that nobody ever gets onto the power network. Except we can't even keep malware out of classified networks that are disconnected from the Internet.

So, how are the Feb.Gov planners helping? They're not. On the contrary:

He said the rush to upgrade has only increased in the months following passage of Barack Obama's stimulus package, which reserved $4.5bn for smart-grid spending. To qualify, however, utilities must meet aggressive deadlines that have only accelerated companies' upgrade plans.

As a result, concerns about security have taken a back seat, said IOActive's Davis. Before the incentives were announced, several utilities approached him and asked if he would perform penetration tests on meters they planned to roll out.

"As soon as the stimulus bill came out, everybody just clammed up," he said. "It's almost impossible for us to get new devices to look at now."

So, some of the companies were actually interested in improving their device's security, until the Fed.Gov-sponsored gold rush lit off. Can't really blame them to not wanting to lose the entire market to competitors. Nice bit of unanticipated consequences, there. I'm sure that they're smarter than we are, though, particularly those of us in Internet security.

Buy a generator, and lay up food, water, and ammo. Yes, it's really that bad, and it's fixin' to get worse.

UPDATE 12 June 2009 23:45: Interesting. NERC is the North American Electric Reliability Corporation. Not sure what this means, other than someone picked up on this little post pretty quickly.

UPDATE 14 June 2009 16:45: Welcome visitor's from Tam's Place! Take a look around. More on the psychology of how this sort of thing happens here.


Paladin said...
This comment has been removed by the author.
Paladin said...

Awesome post!

I knew that I didn't like the "smart meters" on general principle. Now I have another valid reason for despising the concept.

It appears we are to be the architects of our own demise on several different fronts simultaneously.

Borepatch said...

Paladin, thanks. I was worried that it was too much of a rant.

Sadly, we see this all the time - someone wants the Next Big Thing done RIGHT NOW, and "we'll fix security later". Of course, we never get around to it later.

The Web itself is an example of this. Great for exchanging data (say, Facebook). Not so great for transactions where higher trust levels are needed (banking).

I'm a firm believer that nothing mission critical should ever be on the Internet.

The claim is that these meters won't be on the Internet. We'll see - the same claim is made about SCADA systems, which I simply don't believe.

See? I'm ranting again. ;-)

You're absolutely right - we are the architects of our own doom.

"History repeats itself because nobody listens the first time."

Anonymous said...

Gah, yes, SCADA systems DO end up on the internet, even though they shouldn't. Usually because some lazy bum wants to not have to come into the plant to reset things, instead being able to do it all from their laptop at home.

Guess what I used to do for a living?

Borepatch said...

Joanna, thanks. I was speculating, although as you say the motivations are pretty basic.

As the Mythbusters guys would say, "Confirmed"!