Smart Grids and Control

System Security
INSE 6640 – Hacking the Smart Grid (Part 2)
(Lecture 4)

Prof. Walter Lucia

 PREVIOUS IDENTIFY A SCANNING
LECTURE: RECAP TARGET TECHNIQUES
Lecture
Outline

VULNERABILITIES ATTACK TOOLS ATTACK

METHODS

2
Recap (1/2)

• As with any cyber-attack, there are well defined steps to hacking a

Smart Grid

• Reconnaissance and scanning to identify potential targets (a lot of open-

source softwares are available)
• Enumeration (find and collect information on available ports and services),
penetration and infection
• Once breached, the attacker can continue to enumerate and propagate,
spreading infection among interconnected systems

3
Recap (2/2)

• Cyber-attacks can be classified by their intent:

• Theft of information (profit or reconnaissance)

• Denial of Service (to interrupt a service)
• Manipulation of Service (to alter the performance of a service)

4
Identify a Target

5
Identifying a target (1/2)

• The first step in a cyber-attack is the identification of the target

• Because Smart Grid is so complex and interconnected
• An attacker can choose many targets as starting point
• Once the attacker has gained access to one subsystem then he/she can
propagate in the Grid (if security controls and countermeasures are not used
to mitigate “horizontal propagation”)

6
Identifying a target (2/2)
• WAN communications: If one of the potential targets is connected to
internet then the target identification can be easier for the attacker
• Every major cyber security standard or guidance documents recommends that
systems are never directly connected to a public network
• Private or leased WAN are uncommon
• Virtual Private Networks (VPN) over shared/public WANs are often employed
• VPN provides appropriate transport layer security and access controls

• ICS devices: In Industrial Control System (ICS) there are several potential
targets.
• ICS devices are relatively easy to find and to hack
• ICS components, in many industries, continue to be insufficiently protected from
Internet access.
7
Example
• A SCADA server, Phasor Data Concentrator (PDC), a Recloser may be
connected to an industrial Ethernet switch, segmented behind a router and
protected by a Firewall and Industrial Intrusion Prevention Systems (IPS).
• Nevertheless, some components to works also need long-range or even
global wide area network connectivity
• E.g. PMU uses: C37.118 protocol, GPS-based network time protocols, satellite, radio,
mesh wireless, and others
• Some devices allow remote control (access servers) to allow technicians to
obtain remote access to substations or field devices
• Pro: remote control is easier/more convenient than sending technicians into the field
• Cons: An attacker can gain root or admin access remotely

8
NISTIR 7628: primary and secondary targets
(not a complete list)

9
NISTIR 7628: primary and secondary targets
(not a complete list)

10
NISTIR 7628: primary and secondary targets
(not a complete list)

11
Scanning Transmission and Distribution
Infrastructure

12
Scanning T&D (1/2)
• Depending of the nature of the target, to scan a Smart Grid it is
possible to use
• Standard scanning and enumeration techniques (with minor variations)
• Scanning and enumeration techniques that are specific to SCADA and
industrial controls systems
• Example: T-SCADA and gateway servers are built with standard
components and standard Windows OS
• They can be identified using Network Mapper (Nmap) tools (see next Slide)
• Enumerated via a vulnerability scan
• Exploited using “exploits”, e.g. Metasploit framework

13
Scanning Techniques
• A famous general-purpose tool is NMAP
• It can discover all endpoints on a TCP/IP network (network devices and host) using ping
sweep (pings over an IP range)
• It also uses additional capabilities of the Internet Control Message Protocol (ICMP) to
discover:
• Network masks (information about subnets)
• Open TCP and UPD ports (to identify operating services usually running on specific ports)
• In industrial network, network scanning works in a similar way
• We can understand if a subsystem is a SCADA or a process control device by looking for
common ports:
• E.g. port 20000 is used by DNP3; 102 by IEC 61850 messaging; 502 is Modbus
• If port 2222 or 44818 is detected then the system is using the Common Industrial Protocol over
EthernNet/IP
• Data on port 102 can be assumed to be substation automation controls or messaging
• Port 4713 can be assumed to be a PMU measurement
14
Scanning Techniques (2/2)
• Scanning on the industrial networks is possible because most of the used
protocol are based on a client-server messaging model
• Requests and acknowledges are sent between devices
• Information about clients are also transmitted:
• Operating state
• Value within their registers
• E.g. A DNP3 sweep request can be performed in the same way of a ping
sweep
• The request solicits responses from active clients, identifying all of the DNP3 client within the
system
• Example: Stuxnet
1. the stuxnet payload established itself into the Siemens PCS7 system (the SCADA)
2. Stuxnet enumerated the Profibus devices remotely via S7 communications driver
3. Malicious code was written to the PLC once the specific target device was identified
15
Enumeration: Automation Systems
• Substation automation systems are often exploited to enumerate a target
• Industrial protocols allow detailed knowledge about the connected devices, including
vendor, object identifier, services and so on.
• If vendor and ID are available, then
• The exact device can be searched
• Device functions are often online documented
• Some ICS devices may have known vulnerabilities (online documented)
• Note that documentations of protocols are also available because most of
them are open protocols
• Sometimes vendors try to use custom protocols (e.g. Siemens S7 protocol)
to introduce a greater degree of obscurity
• In this case, enumeration is harder, but this is not the solution to the problem
16
Vulnerabilities

17
Vulnerabilities
• SCADA systems and industrial protocols are everywhere in the Smart
Grid:
• Transmission management system
• Distribution management system
• Substation automation
• Energy management systems
• Etc...

• In Industrial Control Systems, two main classes of vulnerabilities are

exploited:
• Specific to a device
• Inherent within the used protocols
18
Devices Vulnerabilities
• Device vulnerabilities are specific to a particular devices and/or
vendors
• Many Smart Grid devices possess vulnerabilities that can be
discovered through analysis tools and reverse engineering
• A specific device can be fully analyzed to identify weaknesses such as
as heap or stack overflows, which could allow malicious code to be
executed by the target system.
• Example: Achilles Test Platform is a testbed for analysis of real-time ad
embedded devices

19
Device specific vulnerabilities
• Example: In 2012 Project Basecamp (Digital Bond and a team of volunteer researchers)
has highlighted and demonstrated the fragility and insecurity of most SCADA and field
devices such as PLCs and RTUs.
• Project Basecamp discovered several device-specific vulnerabilities such as the
following

• They have also published exploits that can be used to target specific Smart Grid
devices
• Many freely available Metasploit modules, dedicated scanning tools are available for
security assessment. They also provide powerful tools to attackers
20
Leveraging known vulnerabilities
• Stuxnet exploited a zero-day vulnerability (it wasn’t known at that time) to
ensure successful delivery and execution of a malicious payload
• Beside stuxnet, other attacks exploiting ICS vulnerabilities have been
reported. Here is a lit of affected brands (2012 list):
• 3S, 7 Technologies, ABB, Advantech, AGG, Arbiter, ARC Informatique, AREVA, Atvise,
Automated Solutions, AzeoTech, Beckhoff, Broadwin, Certec, Cisco, Cogent, COPA-
DATA, Control Microsystems, Ecava, Emerson, Fultek, GarrettCom, General Electric,
Honeywell, Intellicom, Iconics, Inductive Automation, InduSoft, Innominate, Invensys,
IOServer, IRAI, Kessler-Ellis, Korenix, Koyo, Measuresoft, Microsys, Moxa, Ocean Data
Systems, Open Automation Software, Optima, ORing, OSIsoft, PcVue, Pro-face,
Progea, Real-Flex, Rockwell Automation, RuggedCom, SafeNet, Samsung, ScadaTEC,
Schneider Electric, Schweitzer, Sielco Sistemi, Siemens, Sinapai, SpecView, Sunway,
Technomatix, Tridium, Unitronics, VxWorks, Wago, WellinTech, Wonderware, and
xArrow.
• Many vulnerabilities have been exploited either in a proof of concept
environment or through the development of actual exploit code
21
Industrial Protocols vulnerabilities (1/2)

• A protocol vulnerability is not a bug, it is not the result of bad coding

• Industrial Protocol vulnerabilities are the results of the used
command and control paradigm.
• These vulnerabilities cannot be easily resolved because they are not
specific to a single product or vendor

22
Industrial Protocols vulnerabilities (2/2)
• Fixing vulnerabilities for a protocol (e.g. Modbus) would require a
coordinated multi-vendor industry effort.
• Some organization tried to secure protocols:
• OPC UA, OPC XI (secure implementation of OPC). OPC specifies the
communication of real-time plant data between control devices from
different manufacturers)
• IEC 62351 (we have already seen it!)
However, they faced the challenge of adoption!
• In the grid, there are a lot of legacy devices using legacy protocols

23
Inherent vulnerabilities in industrial protocols
• As mentioned, many industrial protocols are vulnerable by design:
• They provide command and controls
• They lack any compensating measures (encryption or authentication)
• Project Basecamp discovered many vulnerabilities in the PLC’s but what is
worst is the “insecure by design” issues
• Several attack methods were disclosed for:
• Forcing a system to stop: By sending a Common Industrial Protocol (CIP) command to
the device, this attack effectively shuts off the CIP service and renders the device
dead
• Crashing the CPU: A malformed CIP request crashed the CPU
• Reset device: This is a simple misuse of the CIP system reset function
• Crash device: The attacker crashed the target device due to a vulnerability in the
device’s CIP stack.
• Flash update: CIP support writing data to remote devices. This attack misuses this
capability to write new firmware to the target device
24
Attack Tools

25
General Tools
• Many tools are available to test and resolve specific vulnerabilities or
to perform in-depth security assessment tests. Same tools can be
used by a malicious agents
• General Tools:
• Tools for vulnerability and exploitability of digital information systems: e.g.
Nmap, Nessus, Nexpose, OpenVAS
• Tools for penetration testing: e.g. metasploit, immunity’s Canvas framework,
Gled Ltd, Agora SCADA+ Pack for Canvas
• Metasploit: Tools for scanning and enumerating the system used by Transmission,
Generation and Distribution SCADA
• Immunity’s Canvas framework: it includes SCADA exploits

26
Specific Tools: e.g. Smart Meter Tools
• Tools to hack smart meters through optical interfaces
• Famous tools: Termineter, OptiGuard
• Termineter: open source
• OptiGuard: used in the industry to deploy more secure metering in Today's Smart Grid
• Both tools exploit the protocols C12.18 and C12.19 used for the optical diagnostics
interfaces on most smart meters
• Once a meter is accessed, almost any parameter can be read (clear privacy
issue)
• Meter identity, Manufacturer, Operation Mode, Configuration and Status, a variety of
configuration and procedure commands, Measurement and Measurement Parameters
• This tools require to be very close to the smart meter
• It cannot be used for large scale Cyber-Attacks (even if long range transmitter and
receiver are available)

27
Attack Methods

28
Attack Execution
• Once a smart grid target has been selected, how the attack is executed?
• It depends on the vulnerability; It could be straightforward, or it may require some
other steps
• If the attack involves critical systems like the substation gateway, then
secondary attacks can be launched against other portions of the Grid
• In some cases, the information gathered can be used to launch blended
cyber and physical attacks
• E.g. Accessing to the AMI, an attacker can target a house and determine if someone
is at home or not. If no one is in the house, then he/she can decide to break into the
house
• By remotely disconnecting a meter an attacker can bypass home security systems

29
Typical Attacks

• Man-in-the-Middle attacks: the attacker secretly relays and possibly alters

the communication between two parties who believe they are directly
communicating with each other
• Replay attacks: valid data transmission is maliciously or fraudulently repeated
or delayed
• If malware can be deposited, then backdoors can be used to remotely control
almost anything!!

30
Man-in-the-middle (MITM) attack
• MITM attack is an attack where the attacker inserts himself between
communicating devices and snoops the traffic between them
• To perform a MITM attack, the attacker must be able to intercept traffic
between the two target systems and inject new traffic
• Easy if connection lacks encryption and authentication mechanisms (this is typical in
industrial protocol traffic!!)
• Harder if encryption and authentication is used:
• Attacker need to listen for key exchanges and pass his key in place of the legitimate one
• The difficulty for the attacker is to make the other two entities to trust that he/she is the
intended recipient
• How hard is to perform MIMT attack depends on how strong are the certificates
• Often self-signed certificates are used (very weak!!)

31
Replay Attacks (1/2)

• Initiating specific process command into an industrial system may require

an in-depth knowledge of the industrial control system operations
• Replay attacks do not need such a knowledge
• Most industrial control traffic is transmitted in plain text, so it is easy to capture
packets and retransmit them (or a customization of them) to inject a desired
process command
• If authentication is used, then authentication can be captured as well, allowing an
attacker to authenticate himself. This will create an authorized connection where
additional recorded traffic can be played back

32
Replay Attacks (2/2)
• Replay attacks are useful in virtue of the command and control
nature of the industrial process control systems
• Commands exist to enable and disable security, alarms, firmware and logic
update
• A replay attack can drop malicious logic/malware or manipulate
variables/measurements
• If the goal is to sabotage a system, almost anything can be used to
disrupt operations:
• E.g. a simple replay attack to trigger a relay switch is enough to break most
processes

33
Popping the HMI
• One of the easiest way to obtain unauthorized command and control
of a SCADA system is through the human-machine interface (HMI)
• Device vulnerabilities can be exploited to install remote access to the
console
• With full access to the HMI there is no need of understand industrial
protocols or control system operations
• The HMI user interface can be directly used

34
Blended Attacks (1/4)

• A blended threat is an exploit that combines elements of multiple types of

malware and usually employs multiple attack vectors to increase the
severity of damage and the speed of contagion
• It can exploit multiple zero-day exploits
• It can exploit multiple modules to adapt to different scenarios and contests, spread
quickly through the networks and hide itself from detection

35
Blended Attacks (2/4)
• Example of persistent, multi-stage attack against smart grid
1. A vendor technician downloads a firmware patch for a field device, but it is
receiving a counterfeit patch containing a malware
2. The technician arrives on site, passes background checks. His laptop passes
a virus scan (since it is a zero day the malware is not detected)
3. The patch drop a small payload into the project files of a substation
automation controller infecting the remote terminal unit (RTU) and field
device through the distribution system (exploiting the industrial protocols)
4. At this stage, gateway, field devices and other system are infected.
Depending upon which environment the virus resides in, new modules
become active and unused code is removed to avoid detection
5. The damage can be done
a) Reconnaissance, theft of private information, coordinated attack designed to
manipulate whole areas of the grid (all done hiding the actions from both human
operators and management applications)
36
Blended Attacks (3/4)

Is the attack in the previous slide realistic?

37
Blended Attacks (4/4)

Is the attack in the previous slide realistic?

Well unfortunately yes, Stuxnet did something similar!!

38
Attacks against the Phasor Measurement Unit
(1/2)
• Phasor measurement units have been introduced to have a better
understanding of power network status
• Therefore, the main scope is to prevent outages

• Can PMUs be manipulated by a cyber attack?

• They transmit measurement through a broad network, then in principle the
answer is yes!
• PMU are very specific devices, so contrary to other Smart Grid devices, only
interruption or manipulation of measurements can be done
• Manipulation of phasor readings can cause damage to the T&D system

39
Attacks against the Phasor Measurement Unit
(2/2)

• The attack could be highly specialized

• GPS spoofing to alter synchronization time across PMUs

• Malware within Phasor Data Concentrator (PDC) to alter the PMU
measurements

40
Conclusions

• Many subsystems in the Smart Grid are susceptible to a variety of

attacks
• While some devices are more secure than others, the “weakest link”
can be used as an attack vector.

41
Smart Grids and Control
System Security
INSE 6640 – Privacy Concern with the Smart Grid (Part 1)
(Lecture 4)

Prof. Walter Lucia

 Personal Data

Lecture
Outline
Privacy risks associated with
the Smart Grid

43
Privacy Concerns in Smart Grid
• The privacy concerns are mainly related to the collection and use of
energy consumption data gathered from homes
• Consumer-specific energy usage data have enormous potential to
enable utilities or other third-party service providers to help
consumers significantly reduce energy consumption.
• Data can disclose detailed information about the behavior and
activities of a particular household.
• Controls need to be implemented for ensuring the data is
collected, used and shared in line with privacy expectations.

44
Privacy Concerns

• One of the biggest issues that needs to be resolved is the way third
parties should be allowed access to consumer energy usage data
• Consumers need to have access to their usage data and should be
allowed to make informed choices about allowing third-party access
to their information

45
Personal Data

46
Personal Data
• What does it mean “personal data”? (multiple definitions exists)
• Can a person be identified from the data, or from the data and other
information that can be potentially collected by a data controller?

IN THE SMART GRID

• Without the implementation of appropriate safeguards, there will be

massive amounts of personal data easily accessible by authorized and
potentially unauthorized parties

47
Smart Grid and Privacy Risks

48
 Smart Grid and Privacy Risks
• Recap of some Smart Grid advantages:

• The consumer can login into his energy account and view how much energy he is
using based upon information reported from their smart meter.
• Smart devices can adjust energy consumption based upon user preferences, and the
price of energy (e.g. utilize off-peak price).
• The consumer can receive alerts when grid outages happen via the preferred the
communication channel.
• The grid operator can accurately identify the source of disruption, thus allowing for
rerouting, and subsequently minimizing the time and impact of disruption.

49
Smart Meters and Privacy Risks

• Drawback: the price to pay for those advantages is the use of data and
personal data

• In all the Smart Grid architecture, a lot of information are generated but
the center of the privacy concerns are the Smart Meters
• Smart Meters: one of the objectives of the smart meters is to collect the
energy consumption of consumers

50
Smart Meters and Privacy Risks

• Does really matter if anybody knows how much energy are you
consuming?

51
Smart Meters and Privacy Risks

• Does really matter if anybody knows how much energy are you
consuming?

• Example: if there is no usage of energy at specific times of the day in a

house, it may be an indication that property is vacant.
• If I ask again the question, does it matter now? Do you want third
parties to have such a information

52
Smart Meters and Privacy Risks
• Third parties can achieve a level of granularity that goes beyond
simply on or off
• E.g. They may be able to estimate the number of individuals at a given
property

• According to “NISTIR 7628 Guidelines for Smart Grid Cyber Security:

vol 2 Privacy and the Smart Grid,” it is possible to
• reveal usage patterns about individual appliances
• Identify specific appliances using libraries of known patterns
• (…And a lot more…)
• E.g. Law enforcement can review the energy consumption of properties to determine
whether, for example, marijuana is being grown! (this is a good thing thought!)
53
Power Usage to Personal Activity Mapping –
NISTIR 7628

54
Privacy Protection and Third Part Analytics (1/2)
• It is expected that the data will not be about the individual and
therefore not covered under the security of data protection
legislation!
• What is likely to be sold (by the operator) to authorized third parties
should be anonymized.
• We make a very big assumption that a simple obfuscation of personal
data fields is of sufficient quality.
• The challenge we face today with the release of very large volumes of
data is the issue of inference. This refers to the ability to derive data
that may be sanitized from the collection of multiple data sources.
55
Privacy Protection and Third Part Analytics (2/2)
• The field of analytics for the Smart Grid is anticipated to grow
enormously
• In principle we cannot say that this is bad or not. It depends on who
has the information and how the information will be used!
• Good use: Customer can get recommendations on energy consumption that
could save money
• Bad use: plethora of electronics manufacturers inundating consumers with
details of their latest products with detailed prior knowledge about the
devices and their consumption within the home, without prior consent.
• Operators get financial benefits by selling data to third parties

56
Thank you!

57