Industrial

Tweet

Reducing IoT-Enabled Smart Grid Risks

Image Source: KoSSSmoSSS/Shutterstock.com

By Jeff Shepard for Mouser Electronics

Published October 21, 2021

Introduction

Adding more Internet of Things (IoT) capabilities is the next step in smart grid evolution. The expanding use of IoT technologies to monitor and control the grid is expected to enhance its ability to economically and efficiently deliver sustainable energy. Unfortunately, an increasingly IoT-enabled smart grid will include millions of nodes, resulting in a much larger attack surface for an IoT-focused cyber-attack. It will also open new vectors over which attacks can be launched.

The traditional threats from hackers, including gaining direct access to the control room and shutting down resources or deception attacks on vulnerable sites such as substations to divert security resources before gaining access to the control room and other command and control infrastructure, continue to be concerns. The emergence of the IoT results in new threat vectors, some lying outside the utility’s direct control. For example, hackers could gain access to thousands of IoT-connected residential appliances and/or commercial and industrial equipment and simultaneously turn them on and off, resulting in a cascading failure of the entire grid.

Today, IoT networks in the power utility sector are besieged by myriad security threats. Various developments directly related to the changing nature and growing sophistication of utilities’ IoT-enabled grids have turned energy environments into security minefields. Like Industry 4.0, the smart grid is a system of cyber-physical systems. With that in mind, the National Institute of Science and Technology (NIST) has developed a Smart Grid Framework 4.0. This article reviews potential threat vectors, provides examples of malware attack platforms, and concludes with some recommended methods for mitigating future security risks.

Cyber Threats from Within and Without

Cyber threats keep multiplying as the grid becomes increasingly interconnected. Potential attacks threaten wired and wireless communications with a range of actions, from jamming the communications with a flood of traffic to manipulating data flows. In either case, the ability of operators to control the network can be severely compromised. And the risks are not just inside the grid command and control systems; growing numbers of grid-connected devices throughout the grid infrastructure and at customer locations are IoT-enabled and can be used for side attacks. Potential attack vectors can arise from outside the grid or by the acts of disgruntled employees.

To reduce the potential impact of an attack, the smart grid should be designed to isolate large segments from compromised segments in real time to prevent a localized attack from spreading. For example, improved methods for identifying risks and rapidly detecting attacks on distributed control and SCADA systems are required to reduce and control the level of cyber threats. Substations may not always be staffed, and the SCADA systems in substations can be especially vulnerable (Figure 1).

Figure 1: SCADA systems in electricity substations can be especially vulnerable to cyber-attacks. (Source: BBSTUDIOPHOTO/Shutterstock.com)

False positives can be a particularly troublesome problem. There are hundreds of thousands of wirelessly-connected sensors monitoring the grid, and bad actors can gain control of those sensors and send false data. Tricking personnel to respond to a false alarm can result in significant damage to the grid. Improved algorithms are needed to validate positive intrusion alarms and identify tampering with sensors and other data. So-called ‘self-healing’ mechanisms need to be closely monitored to avoid introducing more problems. Monitoring is critical; a single compromised device can make the entire grid vulnerable. A successful large-scale cyber-attack can bring down the electricity supply to a whole city or region, resulting in massive financial losses. There are many forms of threats to the grid. Three examples include:

• Shutting down the grid. In addition to the direct financial losses, shutting off power to large areas can enable terrorist activities or large-scale criminal activity.
• Distracting command center resources through deception can allow attackers to successfully take control of substations or other critical infrastructure, leading to large-scale service disruption and cybercrimes.
• Manipulating demand attacks using malicious botnets is an emerging threat vector requiring new ways of approaching grid security.

The MadIoT, Mirai, and KRACK

Wi-Fi networks present an attractive threat surface. Manipulation of demand via IoT (MadIoT) attacks through Wi-Fi-connected devices is a major concern. Wi-Fi-enabled high-wattage appliances such as air conditioners (typically about 1kW power consumption), water heaters (5kW), ovens (4kW), and space heaters (1.5kW) that can be controlled via the Internet are becoming more common. The Electric Power Research Institute (EPRI) refers to these Wi-Fi-capable appliances as a type of grid-connected device (GCDs).

The use of GCDs is encouraged because they bring multiple benefits to utilities, including the ability to monitor, schedule, and control local devices, enabling improved methods for demand response. An IoT botnet of high-wattage GCDs can potentially be used to manipulate the power demand on the grid. Examples of MadIoT attacks include:

• Frequency instability: An abrupt change up or down in power demand by synchronously switching on or off many high-wattage GCDs can result in an equally sharp drop in the grid’s frequency. If the change is beyond a critical threshold, it can result in a large-scale blackout.
• Cascading failures and line failures: If the imbalance is below the critical threshold and the frequency is stabilized, an increase in demand may still result in local overloads and failures. Local imbalances can add together and cascade through the system, especially if one locality is experiencing increased demand while another adjacent area is experiencing a decrease in demand.

KRACK (Key Reinstallation Attack) takes advantage of the Wi-Fi Protected Access protocol that secures Wi-Fi connections (Figure 2). An attacker can gradually match encrypted packets and learn the full keychain used to encrypt Wi-Fi traffic by repeatedly resetting the noise transmitted in the third step of the WPA2 handshake. This is a flaw in the Wi-Fi standard, not a flaw in specific Wi-Fi implementations. As a result, the security protocol in many Wi-Fi devices can be bypassed. An attacker can use KRACK to compromise specific high-value targets.

Figure 2: A KRACK attack can bypass the security protocol protecting many Wi-Fi devices, allowing the attacker to control a device. (Source: Nicescene/Shutterstock.com)

While KRACK can be used against specific targets, Mirai malware and its numerous variants can build large-scale botnets. Once infected by Mirai, the malware continuously scans the IP address of nearby IoT-connected devices. It identifies vulnerable devices using a table containing dozens of default usernames and passwords. Infected devices will continue to operate normally until the botnet is activated. Unfortunately, it is too common for users not to change the factory default usernames and passwords, making hundreds of thousands of devices, including high-wattage GCDs, vulnerable to Mirai.

Cybersecurity Risk Management

A laboratory to experiment with methods to identify and protect against cyber-attacks has been built by the National Cybersecurity Center of Excellence (NCCoE) at NIST. As a result of the work by NCCoE, NIST has published a Framework for Improving Critical Infrastructure Cybersecurity to help organizations better manage and reduce cybersecurity risk to critical infrastructure and other sectors. The framework is based on five functions: Identify, Protect, Detect, Respond, and Recover (Figure 3). Represented as a circular activity, cybersecurity is a continuous process; it is never completed.

Figure 3: Cybersecurity risk management core functions. (Source: NIST)

• Identification is the foundational activity for understanding and managing cybersecurity risks to systems, data, and assets. It supports understanding the business context and resources needed to enable critical functions, including risk assessment and risk management strategies.
• Protection involves development and implementation of necessary safeguards to ensure delivery of critical services. Protection functions include personnel identity management and access control, data security, information protection, and personnel awareness and training.
• Detection involves developing and implementing systems needed to identify cybersecurity events and malicious activities on time with a minimum of false positives. It includes understanding anomalies, continuous security monitoring, and rapid and accurate categorization of threat levels.
• Responding includes actions to take regarding detected cybersecurity attacks. Response planning, communications within and without the organization, analysis, mitigation, and development of response improvements are all critical parts of this activity.
• Recovery should support rapid return to normal activities to reduce the impact of any cybersecurity intrusions and ensure the grid's resilience. Because of the many threat vectors and the continuous emergence of new threat vectors, recovery planning is a complex and ongoing process.

Conclusion

The expanding use of IoT devices for smart grid monitoring and control enhances the ability to deliver sustainable energy economically and efficiently. Unfortunately, an increasingly IoT-enabled smart grid will include millions of nodes, resulting in a much larger attack surface for an IoT-focused cyber-attack. It will also open new vectors over which attacks can be launched. For example, MadIoT attacks using the Mirai botnet can turn insecure IoT devices into weapons of mass disruption that can have devastating consequences going far beyond individual security or privacy losses. This necessitates a rigorous and never-ending pursuit of the security of IoT devices as a critical element in the overall goal of better managing and reducing cybersecurity risk to critical infrastructure.

Jeff has been writing about power electronics, electronic components, and other technology topics for over 30 years. He started writing about power electronics as a Senior Editor at EETimes. He founded Powertechniques, a power electronics design magazine with a monthly circulation of over 30,000. He subsequently founded Darnell Group, a global power electronics research and publishing firm. Among its activities, Darnell Group published PowerPulse.net, which provided daily news for the global power electronics engineering community. He is the author of a switch-mode power supply textbook, titled “Power Supplies,” published by the Reston division of Prentice Hall.

Jeff was co-founder of Jeta Power Systems, a maker of high-wattage switching power supplies acquired by Computer Products. Jeff is also an inventor. His name is on 17 U.S. patents in the fields of thermal energy harvesting and optical metamaterials. He is an industry source and frequent speaker on global trends in power electronics. He has been invited to speak at numerous industry events, including the Plenary Session of the IEEE Applied Power Electronics Conference, Semicon West, Global Semiconductor Alliance Emerging Opportunities Conference, IBM Power and Cooling Symposium, and Delta Electronics Senior Staff Seminar on Global Telecommunications Power. Jeff has a Masters Degree in Quantitative Methods and Mathematics from the University of California, Berkeley.