SMETS 2 … A Step Forward in Energy Saving or a Backdoor To Bring Down A Country?
SMETS 2 … A Step Forward in Energy Saving or a Backdoor To Bring Down A Country?
The roll-out of smart meters in the UK has been a bit of a farce, and its roll-out has been delayed for over three years. Now SMETS (Smart Metering Equipment Technical Specification) 2 is on its way, and many are worried that it could become a spy in your home, and which could even result in a large-scale power outage. The smart meter infrastructure was proposed in 2009, and where virtually every home was to have a smart meter by 2020.
It is thought that the most serious risk is a ‘man in the middle attack’, where a fake receiver inserts itself between the smart meter and the supplier, and which could stop messages from being received.
A Major Design Flaw
The state of understanding of cryptography in is generally weak, and many systems are flawed in the way the integrate it. Companies, for example, often have little idea about where their encryption keys are stored, and who has access to them. There is still a feeling too in the design of systems that security is seen as an after thought … “we’ll build it, and then secure it!”.
The great worry, though, is a lack of security of of Things (IoT) devices, such as smart meters. For it has been proposed that the 53 million smart meters in the UK will have a single decryption key. Anyone who knows anything about cryptography knows that having a single decryption key leaves the whole infrastructure open to a wide-scale data breach on the leakage of the key.
The roll-out was part of scheme for smart meters in the UK, and it is thought that it will save consumers around £26 per year, with a £30 cost for wi-fi enabled energy meter.
With the roll-out of the SMETS 1 in the UK, we had fairly sophisticated devices which not only monitor power but can be used to control the energy within the home. This would allow power companies to shut off power supplies to those who do not pay their bills.
The design and roll-out of the meters been pitted with problems, such as the implementation of weak cryptography methods which had known weaknesses. Overall the system went for a modified cryptography implemented, rather than use standard encryption techniques, of which weaknesses have been identified.
Luckily, for security, GCHQ stepped in on the issue and have identified the problem which could have cause chaos. A large-scale hack, for example, could cause the meters to shutdown, or even cause power surges which could bring down the energy infrastructure in the UK. The economic effects of a large-scale shutdown of the energy infrastructure in a country would be massive, including the shutdown of data , health care facilities, and everything else which relies on the electronic communications.
The creation of a secure network is a fairly easy thing to do, and there are many methods which could have been used to generate unique IDs and encryption keys for each device. Normally this involves a key negotiation process, and where a unique key is created for every device to use.
Hard-wired passwords
It was recently found that Schneider Electric, who make SCADA (supervisory control and data acquisition) equipment, have hard-coded passwords on one of their logic controllers. In fact, it is burnt into its firmware, and can’t even be changed.
This password was used as a decryption key, and was generated by the phrase:
SoMachineBasicSoMachineBasicSoMa
The researchers who found it contacted Schneider and the company admitted to the failure the systems. Other companies, too, involved in SCADA systems, such as Siemens, have also been caught doing similar things.
Along with there have been many discoveries of hard-wired passwords in devices, including for the software used within the Cisco Aironet wireless access points, and where a password of “12345678” was coded into Lenovo’s SHAREit file sharing application. In health care there are many examples of devices having hard-coded passwords, and where Billy Rios and Terry McCorkle of Cylance found them in over 300 medical devices, across 40 different vendors [here].
An army of 500K
In 2018 an attack against Dyn focused on the 1,200 domains that they take care of, and thus caused large-scale problems across the Internet (as many of their customers are leading Cloud service providers). A flood of traffic into the Dyn network thus caused a slow down in their core services for their customers (including Amazon, GitHub and Twitter). This included traffic from a range of IoT devices such as Web cameras and CCTV systems, and which had been infected by the Mirai botnet.
A hacker named Anna_Senpai released the source code for Mirai, and was responsible for a 620 Gbps attack on the KrebsOnSecurity site. One of the companies identified as being responsible for the devices used in the attack is XiongMai Technologies (XM), and who manufacture equipment used for white labelled CCTV and IP Web Camera applications.
It was then discovered that the default username and password combination is as root and xc3511, respectively. Overall there are thought there are over half a million of these devices on the Internet and which can be connected to by Telnet, where the malware can then be installed. As these systems tend not to update themselves, an intruder can create scripts which scans for port 23 (Telnet), and then tries to connect with the default password. If successful, the script can then upload the malware and compromise the device. Many people running CCTV systems might have no idea that their devices are being used to launch an attack against the core of the Internet. Within the malware code, here is the line which compromises the XM devices:
add_auth_entry("\x50\x4D\x4D\x56", "\x5A\x41\x11\x17\x13\x13", 10);
// root xc3511The following shows a compromise of a Web cam which has poor security:
A search of Shodan shows over 569,214 devices running Uc- 1.0.0 (search for ‘server: — 1.0.0" “Expires: 0”’) and that have the potential to be compromised [XM built DVRs]:
Overall there were two main waves of attack:
- Wave 1. This focused on Dyn data centers in Chicago, Washington, DC, and New York. This affected services located on the East Coast of the US.
- Wave 2. This happened around 7 pm (EST) and was focused on 20 Dyn data around the world. This would have required extensive planning, as the controller would have to gather enough local bot agents to sustain an attack against the data .
These attacks, unlike most other attacks for DDoS, used TCP SYN floods against port 53 of the DNS servers, along with a subdomain attack. For the attacker uses a valid domain, such as:
mycoffeeshopboston.com
and then tags on an invalid subdomain at the start, such as:
boblovescoffee.mycoffeeshopboston.com
The requested DNS server will not have this in their cache, and must then go to the authoritative source of the domain, which, in this case, was Dyn. This will then flood the Dyn network with requests from DNS servers asking about the non-existant domain. The only way to cope with this is to increase the bandwidth of the incoming network and to spin-up more servers to cope with the demand.
In this case, the Mirai-sourced IoT botnet, along with other compromised devices, was used to create this attack. The Botnet controller commands the infected network to either flood the target system with a SYN flood on Port 53, or go and do a DNS looking on a domain that the target manages (the target in this case is Dyn). For example they could thus ask for within the mycoffeeshopboston.com domain (which the target is the authoritative server for). The local DNS servers do not have this in their cache, so they ask the authoritative server for some advice. Unfortunately, it won’t have it registered, but will be swamped by requests from the DNS server infrastructure:
Energy networks are a target
While a great focus of security can often be on servers and end devices, many forget that intermediate devices may also be a target. With an increasing usage of IoT devices, it can be these devices which can provide a way-in for intruders — a side door. Along with this, IP-enabled phones, switches and routers often go unchecked for the presence of side doors into the company.
In the state energy provider EirGrid announced that it detected that intruders had setup a wiretap within in their Vodafone-sourced network. The IP addresses have been traced to Ghana and Bulgaria, and where they had access to unencrypted communications. It is thought that these intruders could have been state-sponsored and follows a attack in April 2017. The most worrying thing is that an attack such as this could have brought large-scale power outages which were similar to those which recently affected .
The most recent attack used Generic Routing Encapsulation (GRE) to tunnel into a router. GRE differs from the normal method that we use to create site-to-site tunnels (such as with IPSec) in that it does not use encrypted network traffic. GRE was recently used to provide a DDoS attack on the KrebsOnSecurity Web site.
Ukraine attack
A cyber attack on the power supply network happened on an electrical transmission station near the city of Kiev (Ukrenergo), in December 2016, and resulted in a black-out for around 20% of the Ukraine population. Luckily it only lasted for one hour, but many think that it was just a test — a dry run — for a more sustained attack.
This attack has now been traced to the Crash Override (or ) malware. A previous attack on the Ukranian power infrastructure, in 2015, involved the manual switch off of power to substations, but the newly discovered malware learns the topology of the supply network — by communicating with control equipment within the substations — and shutdown systems.
The company who analysed it (Dragos) think that it could bring down parts of the energy grid, but not the whole of and that the activation date of the malware sample was 17 December 2016. They also defined that the malware can be detected by looking for abnormal network traffic, such as looking for substation locations and probing for electrical switch breakers.
At it is not known how the malware managed to get into the network, but many suspect it may have been sent through phishing emails (as with the 2015 attack). Overall Crash Override infected Microsoft Windows machines within the target network and then maps out control systems in order to locate the key supply points, along with recording network activity which can be sent back to the controls of the malware.
After the discovery phase, it is thought that Crash Override can load-up one of four additional modules, and which can communicate with different types of equipment (such as for Honeywell and Siemens systems). This could allow it to target other electrical supply networks within different countries.
Doing damage?
Another feature of the malware is that it could potentially damage to electrical equipment, and case a large-scale outage. With the malware was seen to disable the Siemens Siprotec digital relay (see graphic on the right-hand side), and which is used to shut down electrical equipment if a dangerous surge is detected. The malware, though, sends a specially crafted data packet to the device, and then take it offline (where it requires a manual reboot to get it back online).
This shutdown would mean that if the electrical supply was overloaded, the system would not shut itself down, and could thus cause significant damage to the supply network. This type of damage could cause the whole of the supply network to trip, as it cascaded.
In the teardown process, the malware destroys all of the files it has infected and tries to cover its tracks.
Previously, in 2009, Stuxnet, thought to have been distributed by the US and Israel, was used to attack an Iran nuclear enrichment facility.
So what?
A study by Cambridge Centre for Risk Studies, for example, estimates that a large-scale power outage in the UK would result, in the worst case, of losses over five years of £442 billion from UK GDP. They conclude that the most plausible route would be to bring down the substations and cause blackouts for up to 13 million people, for several weeks at a time.
Tripwire recently surveyed 150 IT professionals in the energy industry and found that the number of attacks on their infrastructure and that 77% of recent attacks had been successful in some way. Overall 68% said that rate of success in the attacks had increased by 25% as opposed to the previous month. For the source of the attack, 78% reported attacks from external sources, and 30% reported the attacks related to an insider (either someone working in the company or an ex-employee).
In conclusion, 83% of them thought that their companies were not confident in coping with a cyber attack. To create a balance they reported that 78% of them were confident that their organisations could detect sensitive and confidential information.
Jack Harrington, from Raytheon, tells it like it is, and that our electrical supply is:
critical is to our daily comfort and ultimately our survival
and that they are vulnerable to cyber terrorists. He states the cases of power supplies being affected in the Ukraine, and by white hat hackers in the Midwest, where RedTeam managed to gain access to a number of electrical power stations (often using social engineering methods)
can see how easy it was for the RedTeam to gain access to supply stations, and you worry that others with a more malicious intent could cause chaos in other countries. With no electrical supply data , ISPs, and all the other key services would fall like dominos. The attacks on SCADA systems, for example, has risen by more than 100% over the past year. A large-scale black-out in the North-East US in 2003 caused considerable problems, and where the power network was tripped by a fault on the lines