, , ,

Hacking solar panel systems can bring the grid down

Nowadays, critical infrastructure requirements are focusing more and more on system security to guarantee that we don’t face crippling attacks on the critical systems that are supporting our society. Most of these requirements are focused on managing risks, which means companies need to assess their risk profiles first and identify the necessary measures to mitigate unacceptable risk levels.

If we translate that to the electrical grid, this means power plants and transmission companies face big efforts to control the risk levels of their systems because these companies are providing critical services for our society. What we are still lacking in this story, is the impact the society itself has on these systems.

We are imposing lots of security measures on the supply side, but none (yet) on the demand side. From a risk perspective, this causes imbalance. If we look at how a hacker could try to bring down the electrical grid, he has several options to do this:

  • Attack a power plant and reduce or increase the power capacity produced in a country/region and destabilize the grid
    • E.g. cause an incident at a nuclear plant, forcing it to shut down. Impact: max 1000MW per production plant
  • Attack the transmission or distribution system and limit the amount of power flowing to the users
    • E.g. take out a high voltage head station. Impact: depends on the connected capacity lines, load and alternative routes
  • Attack on a mass scale the devices of users that consume electricity at home and fluctuate the demand side so much that the electrical rid is destabilized
    • E.g. take control over solar panel inverters and switch them on/off every 2 min at full capacity .Impact: max. 3369 MW , depending on weather and size of attack

The last scenario is gaining the interest of hackers, as attacking these kind of devices requires less technical knowledge and is easily spread because most consumer devices are now internet connected and very vulnerable. As we are deploying solar panels on a fast rate (+10% increase per year) and they are using very similar (if not the same) hardware, the amount of end user devices (319.000 PV installations in 2017) to attack is rapidly growing. A quick report shows there are already more than 300 Belgian installations of SMA Sunny Boy which are connected directly to the internet.

 

,

Is Cybersecurity really on the agenda of the ICS community?

In November, Toreon (my colleague Vincent Haerinck and myself) attended the fifth LSEC annual Industrial Automation Security conference at the Antwerp Engineering Company.

It was a nice one-day event with speakers from companies such as Airbus, Rhode Schwarz, SecurityMatters, Kaspersky, DutchSec, Secudea and Flowman. Topics covered included “Actual and future Industrial Cyber Security views on Process, People and Technology”, “Cybersecurity Challenges at Airbus Defense & Space production”, “Protecting Industry 4.0 and the Industrial Internet of Things”, “Tricking the hacker: Honeypots for Industrial Control Systems”, “Hidden Dangers of Remote Management in ICS”.

Very interesting subjects, right?

The intended audience of the event included:

• Manufacturing Companies
• Critical Infrastructure Operators
• IT / OT Security Managers
• Plant / Production / Process Managers
• Industrial Control Systems [Security] Experts

And yet:
There were seventy seats at the event. Ten remained empty, ten were for speakers, ten for vendors, ten for students and ten for consultants such as myself. That leaves a about twenty seats for people from the Industry. Only twenty people from the industry attended a nice event about Industrial Automation Security!

What does that mean?
Do automation engineers just not care about security in the OT environment? I would have thought that incidents like Stuxnet, … would have shown people that ICS security really matters!
I still find it so unbelievable that companies are willing to invest time and resources to protect their intranet servers while at the same time leaving their production systems unprotected.

You know, today, OT systems are no longer purely mechanical and they are not isolated. They are IT systems that are connected to the rest of the IT infrastructure and (indirectly) to the internet. Worse yet, they often lag the IT world by five to ten years in technology but have a lifespan of several decades.
ICS systems really need to be protected!

What can we do to raise awareness in the ICS/SCADA/OT community?

, ,

Why the IT-OT Convergence is all about knowledge sharing

After attending the fifth Cyber and SCADA Security for Oil & Gas Industry conference, it became apparent lots of companies are having a hard time with the mingling of IT staff in the OT/ICS environments; the so-called IT-OT Convergence.

My personal opinion is that the involvement of the IT people in OT environments is a very positive thing, as both typically have their strong points:
– IT environments often have a broader experience of assessing cyber threats and their associated attack vectors as they have long left the ideology where they could protect all information systems by merely ensuring the physical security of the building they are placed in.
– Both IT and OT face increasing numbers of targeted attacks towards their environments, like Zeus, NotPetya, Trisis, BlackEnergy…
– Lots of IT-targeted attacks created collateral damage in the OT environments due to the type of malware and their attack vectors (e.g. the numerous ransomware attacks that were seen on SCADA and ICS systems, which were spread by infected USB devices or just because the system had direct internet access).
– OT people often have far more experience in risk and safety analysis, as they have been doing it for the better part of a century.

When combining these strong points, we might just create an acceleration in the ever-so-slow development cycle of the OT environments. However, we must also keep a few important things in mind:
– OT and IT have very different goals regarding what they want to protect from cyber-attacks. IT is typically all about confidentiality and privacy, where the OT environment is all about (personal) safety, reliability and availability.
– Some technologies in IT seem like a good fit for particular problems within OT, but they might break more than they fix. OT environments often contain legacy systems dating from the eighties or even before, using proprietary protocols and might even be retrofitted to be able to communicate over IP networks. Some automated network scans could e.g. break an older RTU by just trying to ping it.

With OT environments undergoing a skill drain, there are important challenges ahead that might require innovative approaches and efficiency gains.

I would strongly advise to keep putting the IT people in OT environments and vice versa, but solely to act as advisors to one another. Both have years or even decades of experience in their respective areas and now that they are facing similar challenges, time has come to join forces and go for a safer tomorrow!

, ,

Our guy at the Flux50 Smart Energy Academy

From the 22nd to the 24th of November I attended the first Smart Energy Academy by Flux50, which was focused on how the energy transition will impact the various aspects of the energy landscape in Flanders.

The Energy transition in Flanders consists of several large changes happening in the current context, including the introduction of larger scale renewable energy production, distributed energy production (solar panels etc), decentralized storage of electricity (home batteries), electric cars, hydrogen fueled cars …

Every market player, be it a producer or consumer and everything in between, showed what they expected of the near future.

The biggest takeaways for me were:

  • We are evolving to a massively distributed energy production and storage scenario, which will also change the attack scenarios of hackers towards our energy grid.
  • The vulnerability level of consumer-grade electronics is generally higher and the devices are less well-managed, and there will be a larger diversity of manufacturers and types of devices. This should make it much more difficult to write large scale attacks to impact a large part of the grid all at once. Attackers will have to change their current attack strategy from power plant-specific to generalized attacks.
  • Lots of devices are being connected to each other to create smart buildings or other intelligent systems, but the connections themselves are often only made on a per-project basis and no real security measures are considered during development.
  • Privacy: data about how a building is adapting itself to its users might seem trivial and non-privacy related, but imagine how you would feel if someone knew exactly when you came home, took a bath, exercised or were cooking dinner. Now imagine someone would know this about your whole building or whole neighborhood…

 

There is still some work to be done to ensure all systems communicate in a secure way and only authorized persons can access and control these systems or the data they produce.

There are still lots of improvement needed on security aspects in the energy sector, so I hope we can continue to guide the energy market towards a safer tomorrow!

,

The problem with ICS security improvements

In the BruCON workshop on ICS and SCADA security (which you can read about here), we learned how to hack ICS systems using Wireshark. In the progress of which we also came to some conclusions about problems with ICS security in real life.

One problem with ICS and SCADA systems is the limited hardware. Old PLCs run very limited chipsets, not at all comparable to the hardware that now runs our small devices. These systems were only designed to handle a very small set of data and logic actions. Even if you wanted to include them, there just isn’t any room for advanced software features like proper authentication or encryption.

Furthermore, many industrial facilities are now using unsupported PLCs. Upgrading security would mean replacing all of these old devices.

Then, if you decide to do so, making changes in the PLC environment is not so simple, when the environment is live. The focus of the business is on uptime. Awareness of ICS security is too low, so security improvements are not held in great value by the business, compared to the cost of stopping a production line.

,

Workshop ICS Pentest 101: A Junior’s View

Last month I attended Brucon 2017, the leading Belgian security conference held at the University of Ghent. The conference offers talks by renowned speakers and you can get your hands dirty in a variety of workshops. I attended ‘ICS Pentest 101’ by Arnaud Soullié and Alexandrine Torrents from Wavestone, a French consulting company. Since I had no prior knowledge of SCADA and Industrial Controls Systems (ICS) whatsoever, I was on unfamiliar ground.

I tried to imagine beforehand what pentesting ICS and SCADA systems would look like: some Hollywood style hacker plots came to mind, like scenes from ‘Mr. Robot’. Hackers can easily take control of machine rooms, robots, elevators and ventilation systems with rather unrealistic hacking methods.
I did not realise those scenes weren’t too far from the truth.

First, Alexandrine gave an introduction about how these systems actually work. She showed us how Programmable Logic Controllers (PLCs) of known manufactures, like Siemens and Schneider, function. She provided us with virtual machines to experiment with and we played around with simulated PLC software.
In Mr. Robot, when Elliot wants to take control over a factory or power plant, he simply needs to physically plug in on the network where all the PLCs are placed, to gain control over the machines. Because there is no data encryption or any form of authentication, he can simply intercept the traffic and make changes on the fly to tamper with the network traffic that is being sent to the machines.
This is exactly what we experienced during the workshop. We intercepted network data with Wireshark and edited it to change a machine’s behavior. We also learned to attack the unpatched PLC itself to take control of the system.

If these systems were critical for safety, holy *% !