Wednesday, April 27, 2011

Trivial Key Extraction From Electromagnetic Emissions

I am at day 2 of a 2 day workshop at Cryptography Research in San Francisco, California.  The focus of this workshop is on side channel attacks using both Power Analysis (SPA and DPA) and EM analysis to extract secrets (such as keys) from various systems and devices.  By far, the most interesting demonstration I have seen is one where both RSA and ECC keys are extracted from a mobile device using a hobbyist antenna and some basic equipment (and software tools developed by Cryptography Research).  The total cost for the equipment is less than $2000 (even less if you scrounge around on Ebay, to be sure).

In this attack, a mobile device performing a cryptographic operation is held 10 feet away from an antenna, and with a few seconds of signal sampling, they are able to extract a key by analyzing peaks on a spectrograph.  One of the questions I asked is if a more powerful antenna could potentially read the EM from a longer distance, and was told that by simply focusing a parabolic dish at a target (similar to what has been done for reading long distance WiFi signals), the traces can be gathered from very long distances.

I found this quite fascinating, since I am not sure what (if any) protection currently exists for products being used in Smart Grid deployments.  There are indeed ways to protect devices against both EM and SPA/DPA attacks, but I am currently unaware of what protections exist.  Moreover, as we learned in the workshop, typically most devices "leak" this information in more ways than one, and what they typically discover in many implementations they test, known simple EM,SPA,DPA attack vectors are not considered during engineering (not always, but often enough to furrow ones brow).

I am not sure how serious an issue this may be, but it does raise some concern, when you consider that an attacker does not necessarily have to set foot on someone's property to gather enough information to extract a key from something like a meter (or a cellphone, or anything else where secrets may be stored).  One of the basic tenants of protecting against attacks is to prevent scalable attacks.  In other words, design the system so that if I get one secret I can only do one bad thing, and make it hard enough to get multiple secrets that an attacker simply gets exhausted with the "workload", and moves on to something else.  If an attacker has to get his hands on each and every device to perform an attack, one can see how this becomes non-trivial.  However, if an attacker can focus an antenna setup at (for example) a bank of meters on a wall for an apartment complex, now you may have something to write home about.

For those of you not familiar with Cryptography Research Inc., you can find out more about them at www.cryptography.com .  Paul Kocher, who is one of the founders, is co-creator of SSL 3.0.  This is a well established, and well respected research organization, with an impressive pedigree.


I have a video of Gilbert Goodwill from Cryptography Research (one of the workshop instructors) demoing an EM attack at RSA 2011 on my YouTube channel:


Forgive the background noise (the RSA Expo Hall is quite noisy). They will be demoing this at my EnergySec Smart Grid Security Summit in October, 2011.

This is indeed something to think about.

Thursday, April 7, 2011

Executive Level Apathy For Security...Maybe Not So Much

I read an article in Information Week this morning titled "76% Of Energy Utilities Breached In Past Year", and while I found most of it rather sensationalistic and perhaps a bit boorish (I mean, c'mon, 76% of all businesses AND government agencies have probably been breached in the past year...at least according to the boundaries defined in this article), one part stood out:

"71% of people surveyed said that "the management team in their organization does not understand or appreciate the value of IT security."...Executive-level apathy or misunderstanding over information security is surprising..."

I have been thinking about this notion of "Executive Level Apathy" for a while now, and I have come to the conclusion that executives are doing exactly what anyone would do if put in their positions and under the circumstances.  Hear me out for a moment before throwing daggers.

One of the primary (if not THE primary) responsibilities of a CEO of an investor owned utility is to make sure the investors get what they paid for.  This can include anyone that invests in mutual funds and ETFs that include utility stocks as part of their portfolios.  When those stock prices (and dividends) go up, everyone is happy.  When they drop, everyone gets grouchy.  Anyone who invests knows the scene quite well.

There are a lot of factors that cause stock values to fluctuate, but suffice it to say that the more money a company spends on things that do not generate a return on investment, the lower the bottom line becomes.  In some cases utilities have to deal with MASSIVE expenditures fixing problems that, while they are fully responsible for them, generate no ROI (e.g. explosions, environmental messes).  I am talking about very real issues that are vivid in nature, and absolutely have to make it to the top of the list of "things we gotta take care of like yesterday".

So lets circle back around to security.  In the article the author points out that the average cost of fixing one of these breaches at an energy utility was $156,000.  If we take a look at my local utility (PG&E) revenues for 2010, a quick search on the Internet reveals that they took in $13.8 billion dollars.  That comes out to 0.00113%.  So, let's assume that PG&E maybe gets hit a bit more than the "average" reported by writer of this article.  Lets assume they get hit 100 times more, for a grand total of $15,600,000.  That brings us to a "whopping" 0.113%.

Okay, I am not saying they should not be concerned with security, but when one considers the costs of doing business and managing budgets on a great scale, it is easy to see that a $156,000 (or even $15,600,000) problem can work it's way down the list of "things I gotta deal with right away as the CEO".

Don't misunderstand me, I dislike filthy rich CEOs like any other red-blooded American worrying about paying his mortgage in our tough economy (although I am perhaps more jealous than anything else), but my very inquisitive nature forces me to peel back the layers of the onion enough to at least try to get some perspective on this, and the truth is that a 0.00113% to 0.113% problem is not something to get worked up about.  We, as a society, have created a specific role for such top level executives which FORCES them to focus on what really matters, and today that is measured in the short term (1 budget quarter at a time).

It is, however, VITALLY important to pay attention to security (and CEOs know this) because there is a potential for a MASSIVE loss in revenues given the right circumstances, but how is anyone to know what the right amount of money is to spend on managing the issue?  If a company spends $1 million, $5 million, or $20 million to protect themselves against such breaches (and potentially larger ones), how do we determine if it is enough?  As stockholders we end up paying for it, and that does not usually make us happy.  As customers we also pay for it, because utilities are guaranteed recovery (from us) for such expenditures.

So how much are we all willing to pay for security?

We, as a society, generally get what we demand...eventually.  While it may sometimes seem like executive apathy abounds, the truth is that WE are just as apathetic (hopefully not me, but as a society in general) about security.  Consumers are simply not demanding security...and what would they demand anyway?  With SUBSTANTIALLY less than 1% loss to cybersecurity breaches today in the utility space, what kind of empirical information is likely to motivate a consumer?

Utilities can always do more, and executives can always be more concerned, but exactly how much more should they do, and how much more should they be concerned?  Frankly, until something really bad happens, I am not sure anyone will be able to answer that question.

Sorry if this seems like a downer to the security minded (and believe me, I am one of them), but I can't really demonize the guys in the high towers on this one.  I would like to see them speak publicly about cybersecurity issues, and that is something they could do as a form of outreach to the community, but in terms of being more pro-active, I certainly don't see how I would (or could) do anything different.

Just my opinion.  Take it for what it's worth.

Sunday, April 3, 2011

OpenSG And How Utilities Are Missing Out In Smart Grid Security Opportunities

Industry groups are often a good thing for the industries they exist for.  Industry groups allow member organizations to converge and discuss ideas, and hopefully come up with a unified way to improve stakeholder positions.

In order for an industry group to create value for the industry it serves, it is important to have a lot of participation by stakeholders.  It is also important to make sure that stakeholder participation is not skewed to serve one (or more) stakeholder categories over others.

This brings me to OpenSG.  For those not familiar with OpenSG (Open Smart Grid), it is a subcommittee created under the UCAIug (UCA International Users Group) to facilitate the creation and adoption of standards, methods, and guidelines for Smart Grid deployment.  This is a utility industry group, and the intended outcome of the work being done under OpenSG is to come up with a consensus based set of standards and guidelines for all utilities deploying Smart Grid.

Under the OpenSG umbrella, there exists an SG Security Working group, and I have been involved with this group for approximately 1 1/2 years.  In this time (and before I threw my hat in), there has been a lot of progress, and one can view some of the output by going to http://www.smartgridipedia.org/.  One of the more notable pieces of work output is AMI Security Profile 2.0.  This document was used by NIST (among other documents) to assist in the creation of the vaunted NISTIR 7628 document, and is currently being utilized by some larger utilities (such as PG&E) as a guideline for AMI security deployment.

I could go on and on about the task forces under the SG Security Working Group (such as the newly formed Embedded Security Task Force), but this is a blog posting, and keeping it short is important.

Okay, so let me tell you what concerns me.  The OpenSG SG Security Working Group is quite vendor heavy, and utility light.  Sure, we have great participation by some of the "big boys" (e.g. PG&E, SCE, Southern Company, Virginia Dominion, FPL), but we have nowhere near an adequate quorum of utilities participating in OpenSG.  When you consider there are over 2300 investor owned utilities in the USA, as an industry group I would suggest that at least 50% (or 1150) of those utilities should be ACTIVELY involved.

Why is this important?  Well, if it is not already obvious, because utilities probably have a better idea of how their industry works than the vendors do.  Every stakeholder that makes up any industry group is there for one reason, and that is to discover and create opportunities for commerce, or protect their current business model and bottom line (and hopefully make it fatter).  This is normal human nature in the business world, so spare the daggers.

In a vendor heavy environment, the industry group is obviously skewed in favor of the stakeholders who do not have the most at stake.  Security decisions made by utilities are decisions that are going to have far reaching impact for a long time.  While some may find comfort in the fact that large utilities are participating with vendors in making decisions for the industry (and regardless of participation in OpenSG the decisions made by the big boys will affect every utility), it is not wise to assume that what is good for the big utilities is good for the little guys as well.  There is a SIGNIFICANT difference between the security management and deployment capabilities of a utility with 5000 employees and one with 20 employees (or even less).  If vendors and large utilities decide on something like (as an example) a utility managed PKI system for key management, and products are designed to work with such a system, then a small utility may be a bit hampered in their ability to comfortably deploy.

I am not saying that the SG Security Working Group is not cognizant of this.  We certainly are and discuss it regularly.  However, without DIRECT input from the ACTUAL stakeholder organizations, we are forced to make educated guesses, and rely on extrapolation and conjecture in our decision making process.

Utilities who are preparing to deploy Smart Grid technologies have lots of questions and more than a few concerns about security.  There are a lot of very brilliant people working in OpenSG that are happy to freely share a wealth of information about Smart Grid security, and we can all learn from more participation.  We are still at an embryonic state with respect to Smart Grid security, so a little participation is sure to gain anyone who participates a lot of expertise over a short period of time.

Come on in.  The water's fine.