FREE ELECTRONIC LIBRARY - Dissertations, online materials

Pages:   || 2 | 3 |

«3 Threats and Impacts: Utility Companies and Beyond INFORMATION IN THIS CHAPTER • Confidentiality • Integrity • Availability We discussed the ...»

-- [ Page 1 ] --



Threats and Impacts:

Utility Companies

and Beyond


• Confidentiality

• Integrity

• Availability

We discussed the threats and their impact to consumers in the last chapter, but

now let us focus on those that are relevant to utility companies, businesses, and governments. Some of these threats are similar, some are unique, but attacks against utility companies, businesses, and governments will have a broader impact than attacks against consumers.

The threats are broken down into the components of the CIA triad, depicted in Figure 3.1 below: confidentiality, integrity, and availability. The impact of these threats is presented in a hypothetical scenario format. However, these threats and their impact could very easily become reality. In some cases, they already have.

Confidentiality Integrity Availability FIGURE 3.1 The CIA triad.

35 A Guide to Kernel Exploitation. DOI: 10.1016/B978-1-59749-570-7.00003-0 © 2011 by Elsevier Inc. All rights reserved.

36 CHAPTER 3 Threats and Impacts: Utility Companies and Beyond


Confidentiality is attained when information is protected from unauthorized disclo- sure. A loss of confidentiality has the greatest effect on consumers. However, the aggregation of personal information about consumers by the utility companies makes them a significantly larger target to hackers.

Consumer Privacy Utility companies collect and store customer information such as name, address, social security number, and consumption data; all information you and I expect to remain confidential. Breaching this confidentiality to access such information is the goal of many hackers, as highlighted in Verizon Business’ 2009 Data Breach Investigations Report, “… criminals have had to overhaul their processes and dif- ferentiate their products in order to maintain profitability. In 2008, this was accomplished by targeting points of data concentration or aggregation…”1 However, hackers may not be the only ones who want this information. With the adoption of smart grid technologies, consumers will more frequently interact with their utility companies through Internet accessible Web applications. These applications will allow consumers to monitor and control their power consump- tion, and even control their smart devices. Law enforcement could utilize this information to support investigations, much like mobile phone data, such as global positioning satellite (GPS), is used today.

NOTE Security and Privacy blogger Christopher Soghoian published findings on December 1, 2009 that Sprint, a United States based wireless carrier, provided law enforcement agencies customer GPS location data between 2008 and 2009. Over a 13-month span, Sprint provided customer GPS location data more than eight million times to different law enforcement agencies through a special Web portal.2 PII As discussed in the previous chapter, smart grids present a host of threats to consumers. While we previously discussed targeted threats and impacts, compromising the confidentiality of consumer data housed by the utility companies presents a far greater reward than compromising the confidentiality of single consumer.

–  –  –

• Impact – Hackers obtain the personally identifiable information (PII) of 500,000 HackMe customers. This information includes customer names, addresses, birth dates, social security numbers, and account numbers. For those customers who utilize automatic or online bill payment, Hackers also obtain customers’ credit card numbers and bank account information.

The hackers sell this information on the black market, and HackMe’s customers are left to deal with repercussions. Government agencies, regulatory bodies, and customers become enraged that this information was compromised and the utility company is fined for not protecting the information properly.

NOTE SQL Injection is an attack that consists of inserting a malicious Structured Query Language (SQL) query into data that is passed from the application client to the backend database server. Such attacks can allow an attacker to manipulate data within application databases.

Often, these databases include sensitive information such as usernames, passwords, credit card information, social security numbers, and more. You can learn more about SQL Injection at www.owasp.org/index.php/SQL_Injection or Justin Clarke’s SQL Injection Attacks and Defense (ISBN: 978-1-59749-424-3).

Consumption Data We previously covered, in the “Illegal Activity” section of the previous chapter, how law enforcement agencies may utilize consumption information to determine if utility companies’ customers are producing illegal substances. However, alternate uses by law enforcement include using similar information to determine the location of suspects during crimes.


• Threat – Consumers become disenfranchised with smart grid technologies after the repeated use of consumption information in the prosecution of criminals.

• Attack vector – Law enforcement reviews suspects’ historical consumption information to determine the likelihood that they were located at their residence during the time of crime.

• Impact – Customer backlash at the alleged misuse of consumption information forces utility companies to modify their smart grid deployments. These modifications pose a significant financial burden to the utility companies, and the public backlash slows the adoption of smart grid technologies.

Proprietary Information Utility companies possess valuable information beyond that of their customers’ PII.

Proprietary information, such as trade secrets, will be targeted by hackers who 38 CHAPTER 3 Threats and Impacts: Utility Companies and Beyond believe they can sell the information to competing organizations, governments, or terrorist groups.


• Threat – A foreign government, frustrated by the sanctions imposed by the United Nations, utilizes its own hackers to compromise an American utility company and obtain trade secrets. These trade secrets will allow the foreign government to significantly increase its power-generating capabilities despite the imposed sanctions.

• Attack vector – An exploit is placed on the utility companies’ Web site that leverages vulnerability in an unpatched version of a popular Web browser.

When a utility company employee visits the Web site, the vulnerability is exploited, and malware is installed on their system. This malware allows the foreign government’s hackers to gain access to the utility company’s internal network and ultimately steal trade secrets on power generation.

• Impact – The foreign government is able to increase power generation despite the United Nations imposed sanctions. The utility company losses their competitive advantage as the trade secrets are eventually made public on the Internet. The utility company sees its profits drop significantly as their competitors reduce the gap that was once created by the trade secrets.

INTEGRITY Integrity is attained when information is protected from unauthorized modification.

A loss of integrity has the greatest effect on the utility companies, which is manifested in fraud and service theft.

Service Fraud Regardless of the deployment architecture chosen by a particular utility company, their customers will have access to the smart meters deployed in their homes and businesses. While tamper-resistant mechanisms should be employed, countermeasures will undoubtedly be published on the Internet.

Once information on how to hack smart meters makes its way onto the Internet, the masses, ranging from hackers to curious consumers, will possess the knowledge on how to defraud their utility company. Some will steal services, while others will be as bold as to collect money from the utility companies by fooling the system to believe that the dwelling generated electricity for the grid instead of consuming it.

–  –  –

economy, significantly lower utility bills may sound too attractive to resist to the average consumer.


• Threat – Consumers hack their smart meters to modify the usage information being sent to the utility company.

• Attack vector – A vulnerable network device driver within the customers’ smart meter allows remote code execution when properly exploited. Customers download and install custom software off of the Internet that exploits the vulnerability and loads custom firmware onto the smart meter.

• Impact – Customer is able to under-report their usage to the utility company.

Thus, the customer obtains a lower bill while the utility company unknowingly subsidizes their customer.

Net Metering The most profitable threat for consumers as a result of smart meter tampering is manipulation of net metering data. Net metering allows consumers to provide the utility companies with power generated by the consumers utilizing technologies, including wind and solar. In turn, the utility companies either provide the consumer with an account credit, or issue a check for the amount of energy provided by the consumer to the utility company.


• Threat – Consumers hack their smart meters to modify the power generation information being sent to the utility company.

• Attack vector – An easily guessed password on an administrative interface (Secure Shell [SSH]) of the customer’s smart meter allows complete access to the device, including the net metering data. The customer modifies the data using a tool they downloaded from the Internet.

• Impact – Customer is able to over-report the amount of power being provided to the utility company. Thus, the customer obtains a larger credit or even a check from the utility company, while they unknowingly are paying their customer for nothing.

NOTE Within Section 1251 of the Energy Policy Act of 2005, the U.S. Congress mandated that all public electric utilities must make net metering available to their customers.3 Sensor Data Manipulation Smart meters will include sensors that will allow the utility companies to perform myriad tasks ranging from post mortem forensic analysis to power system 40 CHAPTER 3 Threats and Impacts: Utility Companies and Beyond restoration, to distribution network monitoring, restoration, and self healing.

However, if the integrity of the sensor data is compromised, the result will be disastrous.


• Threat – Brett, a self-taught hacker, is curious about how the “whole smart grid thing works.” Being in high school, Brett lives with his parents, whose house was recently fitted with a smart meter. Brett spends hours upon hours playing with the smart meter and eventually is able to create a program that would send false sensor data for his entire neighborhood.

• Attack vector – The sensor data is sent from the smart meters to the utility company in an unencrypted format. Brett uses this insecure configuration to capture, manipulate, and successfully transmit false sensor data to the utility company. He is also able to capture network traffic for his neighbor’s smart meters and obtains their Internet Protocol (IP) addresses. Using his custom written program, Brett sends false sensor information to the utility company, indicating that Brett’s entire neighborhood is without power.

• Impact – The utility company, unsure of how a single neighborhood can lose power, sends a crew out to investigate. Upon arrival at the neighborhood in question, the crew reports that there is no outage. The utility company underestimates the criticality of the issue and simply chalks its up to a system malfunction. Brett, amused by the situation, performs similar attacks over the next two years, ultimately costing the utility company thousands of dollars in wasted man hours.


Availability is attained when the service provided by the utility companies is protected from unauthorized interruption. A loss of availability has a significant impact on utility companies and those that rely on their services. This includes consumers, organizations, businesses, and governments.

Consumer Targets Consumers will be the targets of attacks on the availability of the power to their houses. These attacks will most likely come from script kiddies or people the victims know. Despite the relatively innocuous intent of the attackers, the impact of their exploits will wreak havoc on their victims.

–  –  –


• Threat – Carla’s ex-boyfriend, Andy, wants revenge for Carla breaking up with him. Andy is able to attack Carla’s smart meter to create a blackout localized to Carla’s townhouse.

• Attack vector – Carla’s default wireless router configuration allows Andy to easily access her wireless network and connect to the Web front end of her smart meter. Once access to the smart meter was obtained, Andy changed its default password, and shutdown power to Carla’s townhouse.

• Impact – Carla is left without power and is unable to connect to her smart meter to re-enable power as her wireless network is down and she no longer knows the password to the unit.

TIP Ever wondered what the default password was for a device you own? Or a device someone else owns? Phenoelit-US.org maintains a comprehensive and up-to-date list of default vendor passwords at www.phenoelit-us.org/dpl/dpl.html.

Organizational Targets Much like consumers, organizations will be the targets of attacks on the availability of the power to their locations. These attacks will come from script kiddies, professional hackers, or people the organizations know. However, unlike the attacks on consumers, the intent of the attackers will most certainly be malicious and may result in extortion.

Utility Companies The most obvious organization targeted by those attacking the new smart grid is the utility companies. The utility companies will represent the “holy grail” of targets to attackers. Script kiddies will try and compromise the utility companies for notoriety, while professional hackers may be sponsored and have more malicious drivers. We will cover these drivers shortly.


Pages:   || 2 | 3 |

Similar works:

«Influence of Time-of-Day on Mathematical Algorithms 1 Title Page Influence of Time-of-Day on Student Performance on Mathematical Algorithms Wendy Sjosten-Bell Submitted in Partial Fulfillment of the Requirements for the Degree Master of Science in Education: Curriculum and Instruction Division of Education School of Business, Education, and Leadership Dominican University of California San Rafael, CA December 2005 Influence of Time-of-Day on Mathematical Algorithms 2 Acknowledgements The...»

«2 The Chinese Recipe: A Unique Model for Modernisation?* Suisheng Zhao (University of Denver) This Chapter is included in ISPI Report Xi’s Policy Gambles: The * Bumpy Road Ahead, A. Amighini, A. Berkofsky (Eds.), 2015. While top Chinese leaders such as President Hu Jintao and Premier Wen Jiabao were reluctant to publicly endorse the China model amid the hot debate about whether China has created a new model of state capitalism for itself and potentially for other emerging economies as an...»

«Workshop Report G20 Inclusive Business Workshop Regional Workshop Africa 29-30 October 2013, Nairobi – Kenya Scale, replicate, accelerate: growing inclusive business in Africa Authors: Rainer Agster, Anais Mangin, Mirko Zürker adelphi January 2014 G20 Inclusive Business Workshop Africa 29-30 October 2013 TABLE OF CONTENTS Introduction 29 OCTOBER 2013: BUSINESS-TO-BUSINESS WORKSHOP Welcoming and introduction Plenary session “Envision” Working groups “Explore” – Replication...»

«MINUTES OF THE LUTTERWORTH TOWN COUNCIL ADMINISTRATION, FINANCE & DEVELOPMENT COMMITTEE MEETING HELD ON 29 SEPTEMBER 2015 AT THE COUNCIL OFFICES, COMMENCING AT 7.00 PM Present Councillors R Coleman, B Duesbury, T Hirons, B Howes, D Jones, P Toye and B Zilberts 1. ELECTION OF CHAIR This item was deferred from the last Committee meeting held in June 2015 and it was RECOMMENDED that Councillor Howes be appointed as Chair of the Administration, Finance and Development Committee for 2015-16. 2....»

«Work-home culture and employee well-being 1 Running head: Work-home culture & employee well-being Beauregard, T. A. (2011). Direct and Indirect Links Between Organizational Work-Home Culture and Employee Well-Being. British Journal of Management, 22(2): 218-237. Acknowledgements This research was funded in large part by the Social Sciences and Humanities Council of Canada Doctoral Fellowship, the LSE Basil Blackwell Teaching Fellowship, and the Overseas Research Studentship Award. This funding...»

«CURRICULUM VITAE SEVIL SÖNMEZ, PH.D. Department of Marketing, Entrepreneurship, Hospitality, and Tourism Bryan School of Business and Economics University of North Carolina Greensboro P.O. Box 26170, 441B Bryan Building Greensboro, North Carolina 27402-6170 Mobile: 336-554-1201, Skype: sevil.sonmez, E-mail: sesonmez@uncg.edu UPDATED 9/2013 EDUCATION Ph.D. Tourism Management (1994) School of Hotel, Restaurant, and Recreation Management The Pennsylvania State University, State College,...»

«COMPENDIUM OF ALGERIAN FOREIGN TRADE PROCEDURES Foreword This publication is an update of the document “Compendium of Algerian Foreign Trade Procedures” the National Agency for Promotion of Foreign Trade (ALGEX) published in 2008. It comprises the numerous changes occurring in laws, regulations, policies and practices concerning foreign trade, since the publication of the first edition of the Compendium. This document has benefited from suggestions and validations from qualified...»

«CHAPTER 17 Portland Place With its exceptional width and Adam architecture, Portland Place was one of the outstanding developments of its day, and despite extensive and often insensitive change remains one of London’s most memorable streets. Among the many post-Adam buildings, Broadcasting House and the headquarters of the Royal Institute of British Architects, both dating from the 1930s, are of major national significance. Though the Adams’ scheme for terraces of spacious and highly...»

«Alistair Milne – Mario Onorato Risk-adjusted measures of value creation in financial institutions Bank of Finland Research Discussion Papers 25 • 2009 Suomen Pankki Bank of Finland PO Box 160 FI-00101 HELSINKI Finland  +358 10 8311 http://www.bof.fi E-mail: Research@bof.fi Bank of Finland Research Discussion Papers 25 • 2009 Alistair Milne* – Mario Onorato** Risk-adjusted measures of value creation in financial institutions The views expressed in this paper are those of the authors...»

«Toxic Workers Michael Housman Dylan Minor Working Paper 16-057 Toxic Workers Michael Housman Cornerstone OnDemand Dylan Minor Harvard Business School Working Paper 16-057 Copyright © 2015 by Michael Housman and Dylan Minor Working papers are in draft form. This working paper is distributed for purposes of comment and discussion only. It may not be reproduced without permission of the copyright holder. Copies of working papers are available from the author. Toxic Workers Michael Housman Dylan...»

«Banco Central de Chile Documentos de Trabajo Central Bank of Chile Working Papers N° 184 Octubre 2002 THE DIRECTION OF CAUSALITY BETWEEN FINANCIAL DEVELOPMENT AND ECONOMIC GROWTH César Calderón Lin Liu La serie de Documentos de Trabajo en versión PDF puede obtenerse gratis en la dirección electrónica: http://www.bcentral.cl/Estudios/DTBC/doctrab.htm. Existe la posibilidad de solicitar una copia impresa con un costo de $500 si es dentro de Chile y US$12 si es para fuera de Chile. Las...»

«OFICINA DEL ALGUACIL DE BROWARD Departamento de Detención Y Control Comunitario MANUAL DEL RECLUSO Revisado 2012 OFICINA DEL ALGUACIL DE BROWARD DEPARTAMENTO DE DETENCION Y CONTROL COMUNITARIO MANUAL DEL RECLUSO TABLA DE CONTENIDOS INTRODUCCIÓN...................................................................... 2 PAGO FIANZA.....................................................»

<<  HOME   |    CONTACTS
2016 www.dissertation.xlibx.info - Dissertations, online materials

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.