EON EMF Digest 9-12-10 – Cyber Security Issues

‘SmartMeter’ Security Issues

Sorry, but to understand the issues involved in PG&E’s ‘SmartMeter’ build-out plan, you have to learn a few more acronyms. The generic term is ICSs (Industrial Control Systems), which increasingly envelop us in a metastasizing meshwork of corporate and government command and control technologies. SCADA (Supervisory Control and Data Acquisition Systems), with which utilities manage energy supply, together with AMI (Automated Metering Infrastructure), and so-called ‘SmartMeters’ or AMRs (Automated Meter Reading systems) constitute a new alphabet soup of systems which in turn potentially constitute a whole new soup of electromagnetic exposure in our environment.

The following three valuable posts on cyber-security and the so-called ‘smartmeters’ come to us thanks to Sandi Maurer, founder of EMRSafetyNetwork.org . One of the main take-away messages is clearly this: Building AMI, utilizing wireless anything to communicate with/manage AMRs, is deliberately introducing new weaknesses and vulnerabilities to the existing power utility SCADA mix — AMI and AMR should not take the short-run-cheap and reliability/durability-low wireless route when there are hardwired infrastructure options.

Why SCADA Security Matters–And What You Should Know About It
September 2, 2010 By Diana Kelley
SCADA (supervisory control and data acquisition) systems run critical infrastructure and manufacturing processes. SCADA is what the local power company uses to manage usage on the grid and ensure customers have energy during times of high use.

Jonathan Pollet, founder of Red Tiger Security, a consulting and testing company that specializes in SCADA and critical infrastructure, notes: “SCADA Engineers and System Integrators know how to design, commission, and maintain real-time control systems, but typically do not have the right skill sets and training to embed security into those systems. They typically do not understand how to properly harden the servers, operator workstations, and network infrastructure, and in most cases, these systems are commissioned with default passwords and administrator accounts with no passwords.”
Despite the lack of awareness about SCADA security among most security professionals, the risks associated with SCADA exploits and vulnerabilities are significant. Very worst case scenarios of distributed SCADA attacks include bringing down the power grid to a major metropolitan city (or cities) and tampering with the temperature monitoring at a nuclear power plant causing a meltdown.

Electricity for Free?
The Dirty Underbelly of SCADA and Smart Meters

Jonathan Pollet, CISSP, CAP, PCIP July 2010
SCADA Systems control the generation, transmission, and distribution of electric power, and Smart Meters are now being installed to measure and report on the usage of power. While these systems have in the past been mostly isolated systems, with little if no connectivity to external networks, there are many business and consumer issuing driving both of these technologies to being opened to external networks and the Internet.
Over the past 10 years, we have performed over 100 security assessments on SCADA
(Supervisory Control and Data Acquisition Systems), EMS (Energy Management Systems), DCS (Distributed Control Systems), AMI (Automated Metering Infrastructure), and Smart Grid systems. We have compiled very interesting statistics regarding where the vulnerabilities in these systems are typically found, and how these vulnerabilities can be exploited.
DoE, National SCADA Test Bed NSTB Assessments
Summary Report: Common Industrial Control System Cyber Security Weaknesses

ICS software mostly suffers from the lack of secure software design and coding practices. ICS network protocols and associated server applications are prone to MitM data viewing and alteration, as well as compromise through invalid input. This lack of security culture contributes to poor code quality, network protocol implementations that rely on weak authentication and allow information disclosure, and vulnerable custom ICS Web services.
ICS software generally uses third-party applications such as common Web servers, remote access services, and encryption services. Many out-of-date and vulnerable third-party software applications and services have been identified on new ICS version; all indications show that the ICS vendor is not supporting third-party patch management for their products.
Vendor support is needed to remediate the unnecessary exposure and vulnerabilities caused by
excessive services and unpatched systems. ICS software has not been designed for security….