«3 Threats and Impacts: Utility Companies and Beyond INFORMATION IN THIS CHAPTER • Confidentiality • Integrity • Availability We discussed the ...»
Threats and Impacts:
INFORMATION IN THIS CHAPTER
We discussed the threats and their impact to consumers in the last chapter, but
now let us focus on those that are relevant to utility companies, businesses, and governments. Some of these threats are similar, some are unique, but attacks against utility companies, businesses, and governments will have a broader impact than attacks against consumers.
The threats are broken down into the components of the CIA triad, depicted in Figure 3.1 below: confidentiality, integrity, and availability. The impact of these threats is presented in a hypothetical scenario format. However, these threats and their impact could very easily become reality. In some cases, they already have.
Confidentiality Integrity Availability FIGURE 3.1 The CIA triad.
35 A Guide to Kernel Exploitation. DOI: 10.1016/B978-1-59749-570-7.00003-0 © 2011 by Elsevier Inc. All rights reserved.
36 CHAPTER 3 Threats and Impacts: Utility Companies and Beyond
Consumer Privacy Utility companies collect and store customer information such as name, address, social security number, and consumption data; all information you and I expect to remain confidential. Breaching this confidentiality to access such information is the goal of many hackers, as highlighted in Verizon Business’ 2009 Data Breach Investigations Report, “… criminals have had to overhaul their processes and dif- ferentiate their products in order to maintain profitability. In 2008, this was accomplished by targeting points of data concentration or aggregation…”1 However, hackers may not be the only ones who want this information. With the adoption of smart grid technologies, consumers will more frequently interact with their utility companies through Internet accessible Web applications. These applications will allow consumers to monitor and control their power consump- tion, and even control their smart devices. Law enforcement could utilize this information to support investigations, much like mobile phone data, such as global positioning satellite (GPS), is used today.
NOTE Security and Privacy blogger Christopher Soghoian published findings on December 1, 2009 that Sprint, a United States based wireless carrier, provided law enforcement agencies customer GPS location data between 2008 and 2009. Over a 13-month span, Sprint provided customer GPS location data more than eight million times to different law enforcement agencies through a special Web portal.2 PII As discussed in the previous chapter, smart grids present a host of threats to consumers. While we previously discussed targeted threats and impacts, compromising the confidentiality of consumer data housed by the utility companies presents a far greater reward than compromising the confidentiality of single consumer.
• Impact – Hackers obtain the personally identifiable information (PII) of 500,000 HackMe customers. This information includes customer names, addresses, birth dates, social security numbers, and account numbers. For those customers who utilize automatic or online bill payment, Hackers also obtain customers’ credit card numbers and bank account information.
The hackers sell this information on the black market, and HackMe’s customers are left to deal with repercussions. Government agencies, regulatory bodies, and customers become enraged that this information was compromised and the utility company is fined for not protecting the information properly.
NOTE SQL Injection is an attack that consists of inserting a malicious Structured Query Language (SQL) query into data that is passed from the application client to the backend database server. Such attacks can allow an attacker to manipulate data within application databases.
Often, these databases include sensitive information such as usernames, passwords, credit card information, social security numbers, and more. You can learn more about SQL Injection at www.owasp.org/index.php/SQL_Injection or Justin Clarke’s SQL Injection Attacks and Defense (ISBN: 978-1-59749-424-3).
Consumption Data We previously covered, in the “Illegal Activity” section of the previous chapter, how law enforcement agencies may utilize consumption information to determine if utility companies’ customers are producing illegal substances. However, alternate uses by law enforcement include using similar information to determine the location of suspects during crimes.
• Threat – Consumers become disenfranchised with smart grid technologies after the repeated use of consumption information in the prosecution of criminals.
• Attack vector – Law enforcement reviews suspects’ historical consumption information to determine the likelihood that they were located at their residence during the time of crime.
• Impact – Customer backlash at the alleged misuse of consumption information forces utility companies to modify their smart grid deployments. These modifications pose a significant financial burden to the utility companies, and the public backlash slows the adoption of smart grid technologies.
Proprietary Information Utility companies possess valuable information beyond that of their customers’ PII.
Proprietary information, such as trade secrets, will be targeted by hackers who 38 CHAPTER 3 Threats and Impacts: Utility Companies and Beyond believe they can sell the information to competing organizations, governments, or terrorist groups.
• Threat – A foreign government, frustrated by the sanctions imposed by the United Nations, utilizes its own hackers to compromise an American utility company and obtain trade secrets. These trade secrets will allow the foreign government to significantly increase its power-generating capabilities despite the imposed sanctions.
• Attack vector – An exploit is placed on the utility companies’ Web site that leverages vulnerability in an unpatched version of a popular Web browser.
When a utility company employee visits the Web site, the vulnerability is exploited, and malware is installed on their system. This malware allows the foreign government’s hackers to gain access to the utility company’s internal network and ultimately steal trade secrets on power generation.
• Impact – The foreign government is able to increase power generation despite the United Nations imposed sanctions. The utility company losses their competitive advantage as the trade secrets are eventually made public on the Internet. The utility company sees its profits drop significantly as their competitors reduce the gap that was once created by the trade secrets.
INTEGRITY Integrity is attained when information is protected from unauthorized modification.
A loss of integrity has the greatest effect on the utility companies, which is manifested in fraud and service theft.
Service Fraud Regardless of the deployment architecture chosen by a particular utility company, their customers will have access to the smart meters deployed in their homes and businesses. While tamper-resistant mechanisms should be employed, countermeasures will undoubtedly be published on the Internet.
Once information on how to hack smart meters makes its way onto the Internet, the masses, ranging from hackers to curious consumers, will possess the knowledge on how to defraud their utility company. Some will steal services, while others will be as bold as to collect money from the utility companies by fooling the system to believe that the dwelling generated electricity for the grid instead of consuming it.
economy, significantly lower utility bills may sound too attractive to resist to the average consumer.
• Threat – Consumers hack their smart meters to modify the usage information being sent to the utility company.
• Attack vector – A vulnerable network device driver within the customers’ smart meter allows remote code execution when properly exploited. Customers download and install custom software off of the Internet that exploits the vulnerability and loads custom firmware onto the smart meter.
• Impact – Customer is able to under-report their usage to the utility company.
Thus, the customer obtains a lower bill while the utility company unknowingly subsidizes their customer.
Net Metering The most profitable threat for consumers as a result of smart meter tampering is manipulation of net metering data. Net metering allows consumers to provide the utility companies with power generated by the consumers utilizing technologies, including wind and solar. In turn, the utility companies either provide the consumer with an account credit, or issue a check for the amount of energy provided by the consumer to the utility company.
• Threat – Consumers hack their smart meters to modify the power generation information being sent to the utility company.
• Attack vector – An easily guessed password on an administrative interface (Secure Shell [SSH]) of the customer’s smart meter allows complete access to the device, including the net metering data. The customer modifies the data using a tool they downloaded from the Internet.
• Impact – Customer is able to over-report the amount of power being provided to the utility company. Thus, the customer obtains a larger credit or even a check from the utility company, while they unknowingly are paying their customer for nothing.
NOTE Within Section 1251 of the Energy Policy Act of 2005, the U.S. Congress mandated that all public electric utilities must make net metering available to their customers.3 Sensor Data Manipulation Smart meters will include sensors that will allow the utility companies to perform myriad tasks ranging from post mortem forensic analysis to power system 40 CHAPTER 3 Threats and Impacts: Utility Companies and Beyond restoration, to distribution network monitoring, restoration, and self healing.
However, if the integrity of the sensor data is compromised, the result will be disastrous.
• Threat – Brett, a self-taught hacker, is curious about how the “whole smart grid thing works.” Being in high school, Brett lives with his parents, whose house was recently fitted with a smart meter. Brett spends hours upon hours playing with the smart meter and eventually is able to create a program that would send false sensor data for his entire neighborhood.
• Attack vector – The sensor data is sent from the smart meters to the utility company in an unencrypted format. Brett uses this insecure configuration to capture, manipulate, and successfully transmit false sensor data to the utility company. He is also able to capture network traffic for his neighbor’s smart meters and obtains their Internet Protocol (IP) addresses. Using his custom written program, Brett sends false sensor information to the utility company, indicating that Brett’s entire neighborhood is without power.
• Impact – The utility company, unsure of how a single neighborhood can lose power, sends a crew out to investigate. Upon arrival at the neighborhood in question, the crew reports that there is no outage. The utility company underestimates the criticality of the issue and simply chalks its up to a system malfunction. Brett, amused by the situation, performs similar attacks over the next two years, ultimately costing the utility company thousands of dollars in wasted man hours.
AVAILABILITYAvailability is attained when the service provided by the utility companies is protected from unauthorized interruption. A loss of availability has a significant impact on utility companies and those that rely on their services. This includes consumers, organizations, businesses, and governments.
Consumer Targets Consumers will be the targets of attacks on the availability of the power to their houses. These attacks will most likely come from script kiddies or people the victims know. Despite the relatively innocuous intent of the attackers, the impact of their exploits will wreak havoc on their victims.
• Threat – Carla’s ex-boyfriend, Andy, wants revenge for Carla breaking up with him. Andy is able to attack Carla’s smart meter to create a blackout localized to Carla’s townhouse.
• Attack vector – Carla’s default wireless router configuration allows Andy to easily access her wireless network and connect to the Web front end of her smart meter. Once access to the smart meter was obtained, Andy changed its default password, and shutdown power to Carla’s townhouse.
• Impact – Carla is left without power and is unable to connect to her smart meter to re-enable power as her wireless network is down and she no longer knows the password to the unit.
TIP Ever wondered what the default password was for a device you own? Or a device someone else owns? Phenoelit-US.org maintains a comprehensive and up-to-date list of default vendor passwords at www.phenoelit-us.org/dpl/dpl.html.
Organizational Targets Much like consumers, organizations will be the targets of attacks on the availability of the power to their locations. These attacks will come from script kiddies, professional hackers, or people the organizations know. However, unlike the attacks on consumers, the intent of the attackers will most certainly be malicious and may result in extortion.
Utility Companies The most obvious organization targeted by those attacking the new smart grid is the utility companies. The utility companies will represent the “holy grail” of targets to attackers. Script kiddies will try and compromise the utility companies for notoriety, while professional hackers may be sponsored and have more malicious drivers. We will cover these drivers shortly.