Abstract
Smart grids include a variety of microprocessor-based embedded systems, interconnected with communication technologies. In this interaction, hardware is the lower level of abstraction. Insecure and unprotected hardware design of smart grid devices enable system operation compromise, eventually leading to undesirable and often severe consequences. In this paper, we discuss how the hardware of grid equipment can be used to collect intelligence utilized towards beneficial or malicious purposes. We consider different access scenarios and attacker capabilities as well as equipment location in the grid. The outcome of “hardware hacking” is examined in both device and grid operation levels. Finally, we present hardware hardening techniques, aiming to make components attack-resistant and reduce their vulnerability surface.
Similar content being viewed by others
Notes
In cryptography, zeroization is the method of erasing sensitive information such as cryptographic keys and critical memory from a cryptographic module to prevent their disclosure if the equipment is tampered.
References
Electric Power Research Institute (EPRI) (2016) Security architecture methodology for the electric sector, version 2.0 [Online]: https://www.epri.com/#/pages/product/000000003002007887/
Leszczyna R, Egozcue E, Tarrafeta L, Villar VF, Estremera R, Alonso J (2011) Protecting industrial control systems-recommendations for europe and member states. Technical report, European Union Agency for Network and Information Security (ENISA)
Beresford D (2011) The sauce of utter pwnage. [Online]: http://thesauceofutterpwnage.blogspot.com/
McLaughlin S, Konstantinou C, Wang X, Davi L, Sadeghi A-R, Maniatakos M, Karri R (2016) The cybersecurity landscape in industrial control systems. Proc IEEE 104(5):1039–1057
Bloomberg Businessweek (2018) The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies). [Online]: https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies
Karri R, Rajendran J, Rosenfeld K, Tehranipoor M (2010) Trustworthy hardware: identifying and classifying hardware trojans. Computer 43(10):39–46
Konstantinou C, Keliris A, Maniatakos M (2016) Taxonomy of firmware trojans in smart grid devices. In: Power and energy society general meeting (PESGM), 2016. IEEE, pp 1–5
Lee R, Assante M, Conway T (2016) Analysis of the cyber attack on the ukrainian power grid. SANS Industrial Control Systems
SANS Industrial Control Systems Security Blog (2016) How do you say Ground Hog Day in Ukrainian? [Online]: https://ics.sans.org/blog/2016/12/20/how-do-you-say-ground-hog-day-in-ukrainian
NIST, US (2010) Guidelines for smart grid cyber security. NIST IR-7628
Konstantinou C, Maniatakos M (2016) A case study on implementing false data injection attacks against nonlinear state estimation. In: Proceedings of the 2Nd ACM Workshop on Cyber-Physical Systems Security and Privacy, CPS-SPC’16. ACM, New York, pp 81–92
ICS-CERT, U.S (2016) DHS. [Online]: https://ics-cert.us-cert.gov/
Grand J (2004) Advanced hardware hacking techniques. DEFCON 12:59
Han Y, Etigowni S, Liu H, Zonouz S, Petropulu A (2017) Watch me, but don’t touch me! contactless control flow monitoring via electromagnetic emanations. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM, pp 1095–1108
United States Army (2018) Army Nuclear Power Program (ANPP) [Online]: https://en.wikipedia.org/wiki/Army_Nuclear_Power_Program
Defense Information Systems Agency (2018) Department of Defense Information Network - Approved Products List) [Online]: http://www.disa.mil/network-services/ucco
Konstantinou C, Maniatakos M (2015) Impact of firmware modification attacks on power systems field devices. In: 2015 IEEE international conference on Smart grid communications (smartgridcomm). IEEE, pp 283–288
Wang X, Konstantinou C, Maniatakos M, Confirm R. Karri. (2015) Detecting firmware modifications in embedded systems using hardware performance counters. In: Proceedings of the IEEE/ACM International Conference on Computer-Aided Design. IEEE Press, pp 544–551
Vuagnoux M, Pasini S (2009) Compromising electromagnetic emanations of wired and wireless keyboards. In: USENIX Security symposium, pp 1–16
Tsoutsos N, Maniatakos M (2014) Fabrication attacks: Zero-overhead malicious modifications enabling modern microprocessor privilege escalation. IEEE Trans Emerg Top Comput 2(1):81–93
Schweitzer Engineering Laboratories (2018) SEL-3355, Rack-mount Rugged Computer) [Online]: https://selinc.com/products/3355/
Jiang R, Lu R, Wang Y, Luo J, Shen C, Shen XS (2014) Energy-theft detection issues for advanced metering infrastructure in smart grid. Tsinghua Sci Technol 19(2):105–120
Rahman M, Oo AMT (2013) Smart meter. In: Ali ABMS (ed) Smart grids: opportunities, developments, and trends. Springer, London, pp 109–133. https://doi.org/10.1007/978-1-4471-5210-1_5
Anderson R, Barton C, Böhme R, Clayton R, Michel JG Van E, Levi M, Moore T, Savage S (2013) Measuring the cost of cybercrime. In: The economics of information security and privacy. Springer, pp 265–300
Abraham DG, Dolan GM, Double GP, Stevens JV (1991) Transaction security system. IBM Syst J 30(2):206–229
Liu X, Peidong Z, Yan Z, Kan C (2015) A collaborative intrusion detection mechanism against false data injection attack in advanced metering infrastructure. IEEE Trans Smart Grid 6(5):2435–2443
Helfmeier C, Nedospasov D, Tarnovsky C, Krissler JS, Boit C, Seifert J-P (2013) Breaking and entering through the silicon. In: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, pp 733–744
Anderson R, Kuhn M (1998) Low cost attacks on tamper resistant devices. In: Security protocols. Springer, pp 125–136
Skorobogatov S (2005) Semi-invasive attacks: a new approach to hardware security analysis. PhD thesis, Citeseer
Tuyls P, Schrijen G-J, Škorić B, Van Geloven J, Verhaegh N, Wolters R (2006) Read-proof hardware from protective coatings. In: International workshop on cryptographic hardware and embedded systems. Springer, pp 369–383
Ma X, Yang DG, Zhang GQ (2012) Decapsulation methods for cu interconnection packages. In: 2012 13th international conference on Electronic packaging technology and high density packaging (ICEPT-HDP). IEEE, pp 1387–1391
t4f (2018) Ultra-low cost ic decapsulation [Online]: http://www.t4f.org/articles/ultra-low-cost-ic-decapsulation/
Taylor C (2013) The Common Methods of Hardware Hacking. [Online]: https://www.sparkfun.com/news/1314
Labs MWR (2012) Hacking Embedded Devices: UARTConsoles. [Online]: https://labs.mwrinfosecurity.com/blog/hacking-embedded-devices-uart-consoles/
Grand J (2013) Jtagulator: assisted discovery of on-chip debug interfaces. In: 21St defcon conference, Las Vegas, pp 1–88
Heffner C (2012) Reverse Engineering Serial Ports. [Online]: http://www.devttys0.com/2012/11/reverse-engineering-serial-ports/ http://www.devttys0.com/2012/11/reverse-engineering-serial-ports/
Huang A (2013) Bunnie’s adventures hacking the Xbox). [Online]: http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html
Breeuwsma M, De Jongh M, Klaver C, Van Der Knijff R, Roeloffs M (2007) Forensic data recovery from flash memory. Small Scale Digit Device Forensic J 1(1):1–17
Barenghi A, Breveglieri L, Koren I, Naccache D (2012) Fault injection attacks on cryptographic devices Theory, practice, and countermeasures. Proc IEEE 100(11):3056–3076
Govindavajhala S, Appel A (2003) Using memory errors to attack a virtual machine. In: 2003. Proceedings. 2003 symposium on Security and privacy. IEEE, pp 154–165
Schmidt J. -M., Hutter M (2007) Optical and em fault-attacks on crt-based rsa: Concrete results. na
Schmidt J-M, Hutter M, Plos T (2009) Optical fault attacks on aes A threat in violet. In: 2009 workshop on Fault diagnosis and tolerance in cryptography (FDTC). IEEE, pp 13–22
Le T, Canovas C, Clédiere J (2008) An overview of side channel analysis attacks. In: Proceedings of the 2008 ACM symposium on Information, computer and communications security. ACM, pp 33–43
Kocher P, Jaffe J, Jun B (1999) Differential power analysis. In: Advances in cryptology-CRYPTO’99. Springer, pp 789–789
Grand J (2009) Hardware is the new software. presentation at Hack In The Box Security Conference (HITBSecConf)
Bunnie & Xobs (2013) The Exploration and Exploitation of an SD Memory Card. [Online]: http://bunniefoo.com/bunnie/sdcard-30c3-pub.pdf
Kingpin K, Mudge M (2001) Security analysis of the palm operating system and its weaknesses against malicious code threats. In: Proceedings of the 10th conference on USENIX Security Symposium-Volume 10, pp 11
John A (2001) Vulnerability assessment of the transportation infrastructure relying on the global positioning system. Volpe National Transportation Systems Center, Technical Report
Humphreys T, Ledvina B, Psiaki M, O’Hanlon B, Kintner PM (2008) Assessing the spoofing threat Development of a portable gps civilian spoofer. In: Radionavigation laboratory conference proceedings
Humphreys T (2012) Statement on the vulnerability of civil unmanned aerial vehicles and other systems to civil GPS spoofing. University of Texas at Austin
Bhatti J, Humphreys T (2016) Hostile control of ships via false GPS signals: Demonstration and detection. Navigation
Schmidt D, Radke K, Camtepe S, Foo E, Ren M (2016) A survey and analysis of the gnss spoofing threat and countermeasures. ACM Comput Surv (CSUR) 48(4):64
Jiang J-A, Yang J-Z, Lin Y-H, Liu C-W, Ma J-C (2000) An adaptive pmu based fault detection/location technique for transmission lines. i. theory and algorithms. IEEE Trans Power Deliv 15(2):486–493
Jiang X, Zhang J, Harding B, Makela JJ, Domı AD (2013) Spoofing gps receiver clock offset of phasor measurement units. IEEE Trans Power Syst 28(3):3253–3262
Zhang Z, Gong S, Dimitrovski A, Li H (2013) Time synchronization attack in smart grid impact and analysis. IEEE Trans Smart Grid 4(1):87–98
Konstantinou C, Sazos M, Musleh A, Keliris A, Al-Durra A, Maniatakos M (2017) GPS spoofing effect on phase angle monitoring and control in a real-time digital simulator-based hardware-in-the-loop environment. IET Cyber-Phys Syst Theory Appl 2(4):180–187
Loughry J, Umphress D (2002) Information leakage from optical emanations. ACM Trans Inf Syst Secur (TISSEC) 5(3):262–289
Kuhn M (2002) Optical time-domain eavesdropping risks of crt displays. In: 2002. Proceedings. 2002 IEEE symposium on Security and privacy, pp 3–18
Konstantinou C, Sazos M, Maniatakos M (2016) Attacking the smart grid using public information. In: 2016 17th latin-american Test symposium (LATS). IEEE, pp 105–110
Subramanian V (2013) Proximity-based attacks in wireless sensor networks. PhD thesis, Georgia Institute of Technology
Galeyev B (1996) Special section: Leon theremin, pioneer of electronic art. Leonardo Music Journal, MIT, USA
Glinsky A (2000) Theremin: ether music and espionage. University of Illinois Press
Mo Y, Sinopoli B (2009) Secure control against replay attacks. In: 2009. Allerton 2009. 47th annual allerton conference on Communication, control, and computing. IEEE, pp 911–918
Pasqualetti F, Dörfler F, Bullo F (2011) Cyber-physical attacks in power networks models, fundamental limitations and monitor design. In: 2011 50th IEEE conference on Decision and control and european control conference (CDC-ECC). IEEE, pp 2195–2201
Pan S, Morris T, Adhikari U (2015) Developing a hybrid intrusion detection system using data mining for power systems. IEEE Trans Smart Grid 6(6):3104–3113
Alcaraz C, Roman R, Najera P, Lopez J (2013) Security of industrial sensor network-based remote substations in the context of the internet of things. Ad Hoc Netw 11(3):1091–1104
Zander S, Armitage G, Branch P (2007) A survey of covert channels and countermeasures in computer network protocols. IEEE Commun Surv Tutorials 9(3):44–57
Cabuk S (2006) Network covert channels: design, analysis, detection, and elimination. Purdue University
Moskowitz I, Kang M (1994) Covert channels-here to stay?. In: Reliability, fault tolerance, concurrency and real time security. Proceedings of the 9th Annual Conference on Computer Assurance-COMPASS’94 Safety. IEEE, pp 235–243
Parfomak P (2014) Physical security of the us power grid: high-voltage transformer substations. Congressional Research Service
Foreign Policy (2013) ‘Military-style’ Raid on California Power Station Spooks U.S.). [Online]: http://foreignpolicy.com/2013/12/27/military-style-raid-on-california-power-station-spooks-u-s/
ICS-CERT, U.S. DHS (2016) KACO HMI Hard-coded Password. [Online]: https://ics-cert.us-cert.gov/alerts/ICS-ALERT-15-224-01
ICS-CERT, U.S. DHS (2017) Moxa NPort Device Vulnerabilities. [Online]: https://ics-cert.us-cert.gov/advisories/ICSA-16-336-02
IEEE (2013) IEEE Standard for Test Access Port and Boundary-Scan Architecture. IEEE Std 1149.1-2013, (Revision of IEEE Std 1149.1-2001), pp 1–444
Breeuwsma M (2006) Forensic imaging of embedded systems using jtag (boundary-scan). Digit Investig 3 (1):32–42
Russell R (2000) Hack proofing your network. Syngress
Grand J (2004) Understanding hardware security. Black Hat Japan
Caddy T (2011) Tamper Detection. Springer US, Boston, pp 1277–1277
Zaddach J, Costin A (2013) Embedded devices security and firmware reverse engineering. Black-Hat USA
Kocher P (1996) Timing attacks on implementations of diffie-hellman, rsa, dss, and other systems. In: Advances in cryptology-CRYPTO’96, pp 104–113
Sze S (1985) Physics and technology. Wiley, New York
Gjendemsjø M (2013) Creating a weapon of mass disruption: attacking programmable logic controllers Institutt for datateknikk og informasjonsvitenskap
North american electric reliability corporation (NERC) (2018) NERC-CIP Critical infrastructure protection
North American Electric Reliability Corporation (NERC) (2012) Extended loss of GPS Impact on Reliability
Martínez E, Juárez N, Guzmán A, Zweigle G, León J Using synchronized phasor angle difference for wide-area protection and control. In: proceedings of the 33rd Annual Western Protective Relay Conference, Spokane, WA
Keliris A, Konstantinou C, Maniatakos M (2017) White Paper: GE Multilin SR Protective Relays Passcode Vulnerability. [Online]:https://www.blackhat.com/docs/us-17/thursday/us-17-Keliris-And-Then-The-Script-Kiddie-Said-Let-There-Be-No-Light-Are-Cyberattacks-On-The-Power-Grid-Limited-To-Nation-State-Actors-wp.pdf https://www.blackhat.com/docs/us-17/thursday/us-17-Keliris-And-Then-The-Script-Kiddie-Said-Let-There-Be-No-Light-Are-Cyberattacks-On-The-Power-Grid-Limited-To-Nation-State-Actors-wp.pdf
Konstantinou C, Sazos M, Maniatakos M (2019) FLEP-SGS2: A Flexible and Low-cost Evaluation Platform for Smart Grid Systems Security. In: 2019 IEEE PES Innovative smart grid technologies (ISGT). IEEE, pp 1–5
Brumley D, Boneh D (2005) Remote timing attacks are practical. Comput Netw 48(5):701–716
Executive Office of the President of the U.S (2011) A Policy Framework for the 21st Century Grid: Enabling Our Secure Energy Future
Swanson M (2001) Security self-assessment guide for information technology system, vol 800. US Department of Commerce, Computer Security Division, Information Technology, National Institute of Standards and Technology
United States Government Accountability Office (2011) GAO-11-117 Electric grid modernization
MIT (2011) The Future of the Electric Grid
ICS-CERT (2011) Cross-Sector Roadmap for Cybersecurity of Control Systems
Abadi M, Mihai B, Ulfar E, Jay L (2005) Control-flow integrity. In: Proceedings of the 12th ACM conference on Computer and communications security, pp 340–353
Davi L, Dmitrienko A, Egele M, Fischer T, Holz T, Hund R, Nürnberger S, Sadeghi A-R (2012) Mocfi: A framework to mitigate control-flow attacks on smartphones. In: NDSS, vol 26, pp 27–40
Costan V, Devadas S (2016) Intel sgx explained. IACR Cryptol ePrint Arch 2016:86
Alves T, Felton D (2004) Trustzone: Integrated hardware and software security. ARM White Paper 3 (4):18–24
Zhang F, Zhang H (2016) Sok: A study of using hardware-assisted isolated execution environments for security. In: Proceedings of the Hardware and Architectural Support for Security and Privacy 2016. ACM, pp 3
Coreboot (2015) [Online]: http://www.coreboot.org/
Seabios (2015) [Online]: http://www.seabios.org/SeaBIOS
Intel (2008) Intel Active Management Technology. [Online]: https://www.intel.com/content/www/us/en/architecture-and-technology/intel-active-management-technology.html
Intel (2016) Intel AMT and the Intel ME. [Online]: https://software.intel.com/en-us/blogs/2011/12/14/intelr-amt-and-the-intelr-me
AMD (2013) AMD Secure Technology. [Online]: https://www.amd.com/en/technologies/security
Wang X, Konstantinou C, Maniatakos M, Karri R, Lee S, Robison P, Stergiou P, Kim S (2016) Malicious firmware detection with hardware performance counters. IEEE Trans Multi-Scale Comput Syst 2(3):160–173
Patel N, Sasan A, Homayoun H (2017) Analyzing hardware based malware detectors. In: Proceedings of the 54th Annual Design Automation Conference 2017. ACM, pp 25
Vasiliadis G, Antonatos S, Polychronakis M, Markatos E, Ioannidis S (2008) Gnort: high performance network intrusion detection using graphics processors. In: International workshop on recent advances in intrusion detection. Springer, pp 116–134
Yoo R, Hughes C, Lai K, Rajwar R (2013) Performance evaluation of intel®; transactional synchronization extensions for high-performance computing. In: Proceedings of the International Conference on High Performance Computing, Networking, Storage and Analysis. ACM, pp 19
Konstantinou C, Chielle E, Maniatakos M (2018) Phylax: Snapshot-based profiling of real-time embedded devices via jtag interface. In: Design, automation & test in europe conference & exhibition (DATE), 2018. IEEE, pp 869–872
El Shobaki M (2002) On-chip monitoring of single-and multiprocessor hardware real-time operating systems. In: Proceedings of the 8th international conference on real-time computing systems and applications (RTCSA)
Weingart S (2000) Physical security devices for computer subsystems: a survey of attacks and defenses. In: International workshop on cryptographic hardware and embedded systems. Springer, pp 302–317
Osborn J, Challener D (2013) Trusted platform module evolution. Johns Hopkins APL Techn Dig 32 (2):536
Moore S, Anderson R, Mullins R, Taylor G, Fournier J (2003) Balanced self-checking asynchronous logic for smart card applications. Microprocess Microsyst 27(9):421–430
Tiri K, Akmal M, Verbauwhede I (2002) A dynamic and differential cmos logic with signal independent power consumption to withstand differential power analysis on smart cards. In: 2002. ESSCIRC 2002. Proceedings of the 28th European Solid-State Circuits Conference. IEEE, pp 403–406
Stanojlović M, Petković P (2010) Strategies against side-channel-attack. In: Proceedings of the Small Systems Simulation Symposium, pp 86–89
Lee J, Tebranipoor M, Plusquellic J (2006) A low-cost solution for protecting ips against scan-based side-channel attacks. In: 2006. Proceedings. 24th IEEE VLSI Test symposium. IEEE, pp 6
Rajendran J, Sam M, Sinanoglu O, Karri R (2013) Security analysis of integrated circuit camouflaging. In: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, pp 709–720
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Konstantinou, C., Maniatakos, M. Hardware-Layer Intelligence Collection for Smart Grid Embedded Systems. J Hardw Syst Secur 3, 132–146 (2019). https://doi.org/10.1007/s41635-018-0063-0
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s41635-018-0063-0