The past year has seen several security incidents involving root certificate authorities, the organizations underpinning much of the security across modern data networks via their use of public key infrastructure (PKI) and digital certificates. The incidents, while limited in scope, reveal a weakness in PKI security: The fundamental complexity in guaranteeing the integrity of all aspects of the provisioning and deployment process, from protecting the root and intermediate certificates, to ensuring the privacy of the keys that guarantee their authenticity.
The rollout of PKI components in emerging smart grid and advanced metering infrastructure (AMI) technology introduces a new class of risk to this formerly manually managed infrastructure. A breach of an AMI network’s PKI could result in the compromise of an electric utility’s entire distribution network, with cascading impact to connected transmission and generation assets. This risk is compounded when the utility does not manage the PKI components themselves, instead relying on the manufacturer, integrator or other vendor to maintain the security of the system.
PKI management overlooked
The fundamental weakness in PKI applies to all organizations that issue or use PKI components for security, including those that use "self-signed" root certificates. These organizations must ensure the private keys used to sign the certificates under their control are never disclosed to, nor used by, unauthorized individuals or systems, and that the protection scheme used to secure these certificates is strong. It is especially noteworthy that most organizations that issue and rely on PKI components do not view PKI management as being among their core business processes. In addition, PKI operation often is not identified as a critical process in business risk assessment.
As a result, organizations do not allocate sufficient resources into securing PKI cryptographic material. While the cryptographic strength designed into PKI specifications historically has provided adequate defense against communications interception, governance, protection, and storage of the key material remain the weak links in the chain. Recovery from breaches of root certificate components, as an example, is a non-trivial exercise: Once the primary basis for trust is compromised, it is impractical to re-establish this trust without the ability to rely on already-secure supply chain, communications and provisioning processes. Those processes are made even more difficult once equipment that is designed to trust the now-compromised root certificate has been deployed, perhaps in remote locations where manual servicing is impractical.
AMI components and risks
AMI components -- in particular, the “smart meters” that are responsible for measuring and managing the delivery of electricity use for more than 110 million households and companies in the United States -- rely on secure communications channels in order to transmit usage data. They also depend on secure communications channels to respond to remote control commands (such as service disconnection and reconnection, firmware updates and other administrative tasks formerly performed by dispatching a meter reader or other field staff to the location), and to provide assurance for other services (for example, by ensuring the integrity of a correct time source, necessary for billing and other event processing).
Many AMI equipment manufacturers rely on PKI for identification, authentication and establishment of secure communications channels. At its core, this functionality requires the private keys used in these transactions be kept secret. The disclosure or unauthorized use of private key material -- either through a breach of the hardware/software used to store the private keys, or through a flaw in the implementation of the PKI -- may result in an attacker being able to impersonate trusted components of the AMI network, and to issue commands to end devices. In a worst case, these commands could include the retrieval and installation of compromised firmware images that would allow complete, ongoing control of the meters and other AMI components. A coordinated disruption of power to a large metropolitan area using this illegitimate access could cause instability in upstream transformers, substations, and, ultimately, the transmission networks that provide power from generating facilities.
The reliability of the nation’s bulk power system (BPS) traditionally has focused on protecting the electric generation and transmission networks responsible for delivering power among generating plants and substations across long distances. With the widespread deployment of AMI technology, attacks against distribution networks that were once limited in scale to a single premise are now scalable to include multiple distribution endpoints simultaneously. This increase in scale provides another vector to disruption of the bulk electric system: Instead of attempting to disrupt more heavily protected (and regulated) transmission and generation assets, malicious actors may now leverage a compromise of large numbers of distribution endpoints (meters) to effect the same disruption. Making this attack vector more tempting is the fact that the equipment is common, installed in unprotected facilities (usually on the side of a house or apartment building with common access), and lacking in robust tamper detection and alerting capability.
Both manufacturers and end users of AMI equipment must understand the role that PKI components play within their implementation or deployment. They must be aware of the proliferation, use and protection of any of the private key material used for the provisioning of secure services among AMI and other control systems components.
Each of the several dozen manufacturers of AMI components uses a different set of technologies to implement network communications with varying degrees of security. Organizations wishing to evaluate the security of a particular vendor’s AMI technology should focus on how the technology establishes secure communications from the meter management system to the end metering device. They should ask questions about the development, testing and operation of any PKI components, taking into account third-party certification, the security of hardware components, and the supply chain of hardware, software, and cryptographic key material. The personnel assurance programs implemented by the AMI vendors should also be examined, especially when the vendor is involved in the provisioning of key material or any aspect of AMI operations, such as development and deployment of software or firmware upgrades.
Finally, organizations should review their breach and incident response programs as well as those of the manufacturers. Two of the pre-deployment objectives should be developing a process for recovering from a loss of trust in a subset of the metering infrastructure, and documenting the acceptable impact to utility operations from a set of compromised AMI components.
Many utilities and other end users of AMI equipment are in a unique position: They do not control the provisioning of private cryptographic material on devices that are responsible for managing the distribution of their product to the customer, and in some cases, do not administer the networks or the management systems responsible for control of the AMI components. It is therefore imperative that utilities establish a method of independently verifying the security of the components, the networks, and the management of this business-critical function, not only from an examination of the design, but also through active monitoring and sampling of the production implementation.
The use of traditional, proven security constructs in new technology design can ensure robust protections for the new equipment, but only if the entire design is considered and then only when all processes and components required for secure operation are implemented. PKI is a complex set of interrelated components, each of which must function properly and in conjunction with the others in order to provide the claimed security. When organizations responsible for the secure implementation and deployment of technology make design decisions that shortcut or eliminate express or implied protections of PKI components, they put the entire system at risk. This is more likely when an organization does not view PKI management as a core business process.
Utilities and others who rely on the secure operation of AMI components should take steps to understand how the devices have implemented the specification, and the impact of any deviations from the appropriate standards. They should also ensure they have a robust detection and recovery plan in place in the event of a compromise of the private key material or the systems themselves.
Failure to recognize the risk of faulty PKI implementations and improper deployments could post grave risk to AMI and smart grid systems, thereby jeopardizing the stability of the nation’s power distribution systems.
About the author:
Seth Bromberger is the executive vice president of information sharing and government outreach at the Energy Sector Security Consortium, a nonprofit he helped co-found in 2008. He has been involved in network and systems security for more than 17 years with experience in many industries, including government, finance and energy. Bromberger’s work on large scale data analysis and multi-source correlation techniques resulted in his being the listed inventor on patent 13,339,509 (non-provisional filing December 2011), "System And Method For Monitoring a Utility Meter Network," which describes the TopSight™ system he developed to detect anomalous behavior in a multi-million node Smart Meter network. He is frequent speaker on critical infrastructure protection and is recognized in multiple sectors as a thought leader. Send comments on this article to firstname.lastname@example.org.