Guest post from the ICS cyber security blog:
Security tests for smart meters
01 May 2021 – icscybersec
Smart meters are one of the undeservedly overlooked components of ICS security, which is why I was pleased to see recently that researchers from FireEye (or Mandiant, a FireEye company) published an article on security testing of smart meters.
Smart meters are spreading faster and faster, for example, if someone asks their electricity supplier to change their ‘electricity meter’ (whether it’s just for an extension or to install a solar power plant in their backyard), they will almost certainly be fitted with such a device, meaning that an increasing proportion of domestic meters (not just electricity suppliers’ meters, but perhaps the largest proportion) are now able to communicate over some kind of (mostly public) network. And we know that anything that can communicate on a public network, using a standard protocol, will sooner or later be found by people who, either out of professional curiosity and with the best of intentions, or with less good intentions and driven by their own goals (whatever they may be), will start looking for faults in this equipment. However, there will be flaws in all software-driven devices, and almost no-one disputes this today, which means that these devices can be attacked, disabled or taken over by IT tools and methods.
Let’s now turn to Marc Elsberg’s book Blackout, which I read back in 2016, the story of which starts with someone compromising a large number of smart electricity meters in European countries and then simultaneously shutting them down to cause a continent-wide blackout. When I read this book, I talked to some people in the electricity sector who were adamant that it was not possible to cause a blackout in this way, but I believed then and still believe that, given a few factors, it is not so impossible that such a scenario could occur.
On the one hand, there can be little question that smart meters can be as vulnerable in software as any other “smart” device, from fitness bracelets to smart refrigerators to industrial IoT (IIoT) devices.
On the other hand, as far as I know (am I right?) there aren’t that many smart meters from different manufacturers with different firmware families in any one utility sector, so in the electricity sector it’s reasonable to assume that there aren’t that many different models of these smart meters in operation.
All that is needed is a few vulnerabilities (0-day, i.e. not yet patched) and some background and organisational skills to enable an attacking group to compromise a large number of smart meters and, in a coordinated action, to eliminate system-wide consumption from the electricity system overnight. It then depends on the preparedness of the electricity supplier, or in the worst case the electricity distributor, whether such an incident is accompanied by a malfunction.
So perhaps you can see why I feel such tests and publications are important and I am curious to see when domestic researchers, IT and/or OT security companies will come forward with publications sharing their experiences on security testing of domestic smart meters. There have also been some high quality theses on the subject, but (as can be seen from the publications of the FireEye researchers) there is still plenty of room for improvement in this area.
***
The original guest post was published on the ICS cyber security blog.
Translated by DeepL.