Five years ago, Ofer Shezaf, founder of OWASP Israel, shared his findings at the 2013 Hack In The Box conference on the lack of security in electric car-charging stations. He concluded that such attacks are not very likely because of their complexity and in order to even find these vulnerabilities, the hacker needing to be both a security and subject matter expert. However, just a few weeks ago, Russian authorities arrested a man for distributing gas station malware in a multimillion-dollar fraud scheme.
While they are fundamentally different systems — physical fuel vs. electricity — both may utilize advanced metering infrastructure (AMI) to bill users for their energy consumption. AMIs may consist of millions of smart meters and extend over large geographic areas. With such a wide attack surface within an extremely lucrative industry, cyber-physical systems in smart energy solutions are all the more susceptible to attacks.
First of all, what are cyber-physical systems?
Introducing the smart grid:
The smart grid is a type of cyber-physical system for efficiently distributing electrical energy according to fluctuating electric demands. Physical sensors along transmission lines and two-way communication between consumers and energy service providers allow for both parties to monitor and control power consumption. For consumers that means having real-time data on their electricity usage and pricing to allow for cost-saving lifestyle adjustments. For energy suppliers, that means the ability to implement dynamic pricing and better grid management during demand surges.
Enabling all of that smart grid technology is the AMI. These smart meter networks transmit meter data to electricity providers wirelessly, so on-site meter reading is no longer required. This is how people are able to receive electricity consumption and pricing data in real-time.
As with all data traveling through any type of communication network, interception and tampering are very real concerns. Data corruption could mean that the entire cyber-physical system involved in supplying, consuming, metering and billing energy is vulnerable to disruption.
What are the effects of those vulnerabilities?
Back to the multimillion dollar gas station malware scheme: Hacker Denis Zayev developed malicious software to manipulate electronic gas pumps into pumping up to 7% less gas than customers were being charged for, and rogue gas station employees were enlisted to short customers for the gas they paid for in full. Tracks were cleverly covered up with gas pumps, cash registers and back-end systems all reflecting the false data, making detection nearly impossible — especially with gasoline inventory being monitored remotely.
Recalling Ofer’s disclaimer at the conference (watch it here) where he shared how electric car-charging stations could be hacked by a sophisticated expert, “the risks are small but they are aggregative.” This aspect of security risks, considered alongside the recent gas station malware incident, has profound implications on how we should be viewing newfound vulnerabilities in cyber-physical systems:
1) It may take sophisticated skills to develop a workable hack, but not to unleash one
It’s not wise to assume the likelihood of an exploit based on how difficult it is to execute. When expected returns are low, the perceived risks are also low. However, people have managed to monetize cybercrimes in recent years — think exploit kits and crime-as-a-service— so that hacks are no longer “for lulz” and mischief, but a lucrative industry. From the Russian hacker’s success in roping gas station employees into executing the hack for him with their privileged access, we can see how when there is even one skilled hacker and just a few willing accomplices, there can be a business model for cybercrime executed in scale.
2) Data integrity is key to implementing smart technology
Cyber-physical systems allow us to power-up our industries, generating actionable data for remote monitoring and management at scale. However, they also inherit the same vulnerabilities that plague traditional web-facing systems like intranet servers and e-commerce applications. Web and data security fundamentals therefore also apply, and so implementing both cyber and physical authentication becomes crucial. Charging points, metering devices and batteries should be authenticated, with data transfers between them encrypted and tamper-proof. This assurance of accurate measurement and delivery of power supports non-repudiation when it comes to energy metering and billing.
Because of the physical components, cyber-physical systems are expensive to recall and complex to roll back. That is why security vulnerabilities should not be taken lightly even in the design phase of these systems if we want to fully reap the benefits of smart technology, without introducing threats that are embedded into society at scale.
More to come on securing industrial IoT, so be sure to look out for updates on our blog!