Smart Meters – managing critical infrastructure cyber risks requires diligence, focus and deep expertise!

By Krzysztof Swaczyński

 

It’s time to act for Power and Utilities across the EU!

 

According to Annex 1 of the Electricity Directive 2009/72/EC (currently replaced by Directive (EU) 2019/944 of the European Parliament and of the Council of 5 June 2019 on common rules for the internal electricity market), 80% of the electricity meters rolled out to consumers by 2024 are required to be meters of a new generation, commonly named ‘smart meters’ (subject to a cost benefits analysis), as a part of the ‘smart grid’ concept. While the deployment of the electrical ‘smart grid’ infrastructure increases its functionality, the risk associated with its operation increases. Complex solutions which are implemented to run it require an advanced approach to the identification and management of cybersecurity risks. The power grid, which is one of the most crucial pieces of critical infrastructure, tops the list of interest of various APTs (an APT is an advanced persistent threat – a stealthy threat actor, typically nation or state-sponsored) and other threat actors. Hence the security testing of solutions such as advanced metering infrastructure (AMI) and smart meters and their security solutions must be of the highest standards.

 

He owes his fame to the fact that young Rickey had the dubious honor of being the first Dutchman ever to be arrested for a hack. Of course I want to know more about that, but first I want to explain to the reader what a hacker is exactly.

 

A synopsis of the AMI architecture

 

The most important element of AMI is the actual electricity meter, or, as it has been fashionably named, ‘the smart meter’. The main functional addition of a smart meter in comparison to its traditional counterpart is the remote communication capability, i.e., sending the meter readings to the operator.

 

Where buildings are dispersed, GSM/LTE modems or soon, 5G modems are integrated into smart meters; data transfer takes place via the cellular network.

 

In places where the arrangement of the buildings is quite compact, i.e., housing estates and blocks of flats, the meters can communicate through the existing electric cables using power line communication (PLC) technology.

 

If the distance to the nearest low-voltage (LV) distribution station is quite large, a GSM modem is connected to the meter’s communication hub and then communication takes place via a cellular network.

 

Where the distance to the LV station or switchgear is small and there are sufficient technical conditions, the PLC module is connected directly to the operator’s hard infrastructure network.

 

Finally, the heart of the AMI system is the head end system (HES), the metering data management elements that are built of more generic IT components such as database servers, operator panels, servers hosting web applications, etc.

 

This architecture is nothing new, but in recent years new elements have appeared, or will appear soon:
– AMI integration into the user’s home area network (HAN)
– Mobile applications and web applications that allow users to manage their energy operator accounts, check current consumption and receivables, and eventually also manage some of the devices on the HAN.

 

Preparing the attack – vulnerability analysis

 

In SEQRED’s research project, the team’s goal was to put the AMI system through a comprehensive security analysis to identify potential risks and evaluate them from the point of view of a potentially malicious actor. From this perspective, one of the key attack entry points (the first component to be compromised) and the most exposed and accessible element of the system is the smart meter itself. These elements are publicly available, often in staircases or in electrical boxes outside the property’s fence.
Modems and hubs are components that are often not properly secured and, in many cases, are accessible from the HAN network because the end-user is often treated as a trusted user in the AMI system’s mobile and web applications.

 

Fig. 1: Elements that can pose as entry points for a potential attack
 

 

Fig. 2: A range of threats that can be associated with an attack –
DSO (distribution system operator) perspective.
 

 

Fig.3: A range of threats that can be associated with an attack –
energy consumer perspective.
 

Along with the implementation of AMI systems, new challenges have emerged for smart meters, mainly relating to their remote communication capability, i.e., support for 3G (or other wireless) modems and the ability to communicate with the use of PLC modules, and, above all, an extensive DLMS (device language message specification – IEC 62056) protocol stack implementation. DLMS is the main global standard for smart energy metering, control, and management. It includes specifications for media-specific communication profiles, an object-­oriented data model, and an application layer protocol.

 

As a result, new obligations were placed on the energy distributors because such meters, as well as modems, should be managed and maintained, and it should be possible to communicate with them according to the standard, keep passwords and keys for DLMS associations, update software, and, above all, provide infrastructure for the meters to have the means to communicate.

 

Smart meter device security overview

 

Components of a smart meter
The heart of the meter contains a microcontroller (most often in arm or mips architecture), analog-to-digital converters, a display, the communication modules mentioned earlier, and the most important element – an opto-connector, which is a public element of the meter anyone can approach and use to connect with the meter using the adaptor presented below.

 

Fig. 4: Illustration of a DLMS optical interface accessed
via a dedicated adaptor opto-connector
 

It is important to mention that from a security point of view any device, including a smart meter, is subject to a reverse engineering process which allows attackers to map out its internal structure and the logic of the built-in program (firmware).

 

Fig. 5: Key features of the smart meter – potential attacker perspective
 

The interface of the most interest was the one most available – the opto-connector – as it is widely used for communication. The adaptor can be attached to a laptop or smartphone. The opto-connector is used for communication with the meter where the standard communication is carried out using the DLMS/COSEM protocol.

 

The DLMS/COSEM standard describes the method of communication with smart meters regardless of the transport layer used (e.g., TCP/IP, opto-connector). It also defines a protocol that conforms to the OSI model and models of interfaces and objects transmitted in messages that conform to that protocol. Like any such protocol, its implementations may be susceptible to programming errors that can be used (exploited) with the help of messages prepared by the attacker.
SEQRED’s team decided to check the security of one of the most popular DLMS/COSEM implementations. The choice fell on the solution used for 20 years in countries across Europe and OEMed by many smart meter manufacturers. Importantly for research efficiency, the solution had had open-source development and implementers provided an example program simulating the operation of the meter. Tests were conducted using the intelligent fuzzing method, i.e., by introducing random input data into the program and using a genetic algorithm that makes the new input data more like that discovered by new paths in the program’s code.

 

The screenshot below shows the fuzzer execution result – identifying 15 unique crashes, i.e., input data that caused the program to stop abnormally. Further analysis revealed that the crashes resulted from five programming errors identified (and reported to implementers) by SEQRED. Errors of this type allow the denial-of-service attacks, reading data in the meters’ RAM (including passwords, for example), or code execution; i.e., in practice, the attacker can take control of the meter. It should be added that even if access to the meter required a password, errors occurred before it was verified, as in the case of the error presented in the screenshot below when agreeing on the version of the protocol used in further communication. This means that the attacker could have used it without knowing such a password.

 

Fig. 6: Five different programming errors in smart meter firmware
found by SEQRED that can be exploited by an attacker
 

An interesting fact: the shortest input frame causing the meter to stop working was only 22 bytes long.

 

At this point, SEQRED had identified several vulnerabilities, and DLMS frames allowed attacks to disrupt and take over the meter. The decision was made to try to reproduce errors in physical smart meters devices commonly used in the European market.

 

The attack

 

The SEQRED research team purchased three different smart meters and tested them in the first step to replicate vulnerabilities found in the open-source DLMS/COSEM stack on the physical device. The first frame that reset the memory reading in the previously tested stack affected the first of the meters tested.
To take over the meter in the second step, a dump of non-volatile memory was made, after which the firmware was reversed with an emphasis on the DLMS stack.

 

The result was that the SEQRED name was displayed on the meter; the meter was taken over with little effort.

 

Fig. 7: The result was complete control of the meter
 

The methods described above are meant to provide a sample of the diligence and thoroughness of the methods and tactics needed to verify and ensure the security of advanced ISC/OT installations operating in critical infrastructures.

 

“The attacker could have used it without knowing a password.”

 

For the sake of brevity, SEQRED decided to provide a summary of some other quite common vulnerabilities in AMI/smart metering solutions that were discovered in SEQRED’s full research:

 

• Sensitive data storage (i.e., access to the data and credentials of the network of the distribution system operator) in meters’ non-volatile memory without protection.
• Errors in or lack of configuration of authentication mechanisms and in the authorisation structure in communication devices (GSM modems, hubs, routers).
• Duplication or inappropriate cryptographic key management mechanisms on the meters.
• A multitude of security issues in mobile and web applications offered to energy consumers for contract management and consumption monitoring, i.e.:
– Sensitive data logging
– Hard-coded sensitive data (accounts, API keys)
– Incorrect implementation of SSL (the possibility of carrying out man-in-the-middle attacks)
– An excessive set of system permissions
– Insecure IPC mechanisms (interprocess communication)

 

“To minimise the risk of potential cyber-attacks and compromise, one should apply AMI cybersecurity practices.”

 

Cybersecurity best practice for AMI infrastructure

 

To minimise the risk of potential cyber-attacks and compromise, one should apply the following AMI cybersecurity best practices:

 

For overall AMI solutions:
• Design for and implement a comprehensive and fit-for-purpose security management system, including passwords, keys, and configuration management.
• Introduce security architecture design from the start of the project development – security should be considered as soon as the functionality of the AMI/smart metering solution is conceived.
• Ensure smart meters’ configuration and key management practice is implemented according to DLMS standards and ensures key uniqueness and protection of their storage in the devices’ non-volatile memory.

 

For communication infrastructure:
• Use a dedicated APN for cellular communication.
• Do not leave devices visible/discoverable on the network.
• Apply correct internal network segmentation.
• Obvious but always relevant: do not use the same passwords for many devices, and do not use default ones.

 

For smart meters:
• Be aware that the measurement certification and DLMS compliance certification are not related to security; they only assert the accuracy of the measurements and the correctness of the implemented protocol. The device should communicate according to set standards, hence independent cybersecurity verifications, i.e., audits and tests are required.
• Request that the AMI/smart meter vendors and integrators present proof of the security of solutions, along with reports on suitable types and scopes of tests that have been carried out, and whether there is any changelog (with a list of changes introduced in the firmware).

 

For mobile and web applications:
• The security of the product must be considered from the beginning of its development.
• A final security audit must be always carried out.

 

The approach to verify the cybersecurity of AMI and the best practices presented above are also applicable (after tailoring) to ensure that the cybersecurity of other types of ICS/OT solutions is operating in critical infrastructure.

 

In short:
• Electrical smart meters installation is a legal requirement in the EU
• Development of Electric Sector infrastructure increases functionality along with exploitation risk
• Need for advanced approach in the identification and management of cyber threats as state-sponsored cybercriminals target the Electric Sector
• SEQRED team shares results on smart meter research and testing

 

About the author
Krzysztof is a strategic advisor in the fields of OT and IT security and the founder and CEO of Seqred International, a cyber security consultancy focused on testing and improving security in the field of ICS. Krzysztof advised global organizations in government, power & utilities, manufacturing, and air transportation on the planning and safe implementation of IT and OT solutions as well as company-wide technology-driven transformation programs.