Understanding smart meters to design intelligent, secure systems
Today, there are close to two billion electricity meters installed worldwide, but less than 10% of them are considered “smart” meters with two-way communications. This will change over the next few years as next-generation meters are developed and installed. Add to those numbers the meters uses for gas and water, and the number of meters can easily double to four billion or more.
Next-generation smart meters will provide a gateway into the home and allow both the utilities and consumers to manage consumption. Utilities can set up dynamic pricing to provide incentives to consumers to shift peak loads, while consumers can better track their usage and decide when not to use appliances that consume large amounts of power to reduce their energy bills. Data regarding usage can initially be accessed over the internet using a PC or smart phone that links to the utility so that consumers can access off-line usage data, but in the future consumers might be able to directly log onto the smart meter to get real-time consumption data. Keeping that data secure is one of the major challenges facing both the utility companies and the e-meter vendors.
Local attackers have physical access to the meter, network gateway, or a connection between these components. They can try to disclose or alter assets that are stored in the meter or gateway or while data is being transmitted between meters in the metropolitan area network and the gateway. This threat model assumes that the local attacker has less motivation than the WAN attacker since a successful attack of a local attacker will only impact one gateway. The local attacker could also be the consumer trying to get services without paying for them.
An attacker located in the WAN (WAN attacker) can try to compromise the confidentiality and/or integrity of the meter data and/or configuration data transmitted via the WAN. Or the attacker can try to conquer a component of the infrastructure (i.e. meter, gateway or controllable local system) via the WAN to cause damage to a component itself or to the corresponding grid (e.g. by sending forged meter data to an external entity). Even though in the concept of Common Criteria the attacker with the highest attack potential (which is the WAN attacker with a high attack potential) determines the level for the vulnerability analysis, the definition of following threats acknowledges that the local attacker has less attack potential than the remote attacker. (Please also refer to chapter 6.11.2 in the Protection Profile for the Gateway of a Smart Metering System published by The German Federal Office for Information Security, v1.01.1 draft)
When designing the e-meters, there are several key concerns – meter power consumption, cost and reliability. Both power consumption and costs have to be as low as possible to ensure the millions of meters don’t add any significant power drain to the grid, and at the same time, the meter cost must be low since the utilities must be able to cost-justify replacing the old meters. The reliability requirement is an obvious demand due to the long life time and nature/quality of the service. Additionally, as mentioned earlier, the meters must be secure – data encryption has to be an integral part of the meter design to ensure that hackers can’t collect personal data or gain access to the utility’s network.
The companies designing the smart meters must account for the different regulatory requirements of each region around the world, as well as for the different services and functions that each market requires. Automated meter reading regulations in the U.S., for example specify the frequency of meter readings, the data transmission scheme, and the amount of data that must be stored locally in the meter at any point in time. The amount of data the system must store to insure against data loss, will affect the amount of local memory needed in the smart meter, and that may have an impact on component selection and cost.
In Germany, the BSI defines a Security Protection Profile for the communication Gateway interfacing with the Wide Area Network and mandates usage of a security module. This gateway is to reach a Common Criteria EAL4+ security level. The VaultIC4xxx Security Module is one of several security solutions in the industry that already offers this security level, reducing to its minimum the certification effort for the gateway manufacturer. (See sidebar at the end of this article for more information.)
Smart Meter Basics
Although the definitions vary somewhat, a smart meter monitors energy, gas, or water consumption and displays the consumption in real-time, typically on a LCD display. The meter also has a communications interface – in the U.S., many companies have standardized on the ZigBee wireless radio as the link to the utility, while in Europe, many utility groups have agreed to use power-line communications to link the meters to the utility. These communication interfaces also have to be low power even though they spend most of their tie in a “sleep” or standby mode.
The electric utility’s transition from fixed-rate billing to a time-of-use billing arrangement is driving the creation of second-generation e-meters that are smart enough to handle time-of-use billing and allow for automatic meter reading (AMR). This changeover will require more powerful microcontrollers, wireless radios, information rich LCDs, and real-time-clocks (RTC) to supplement the analog front end (AFE). For the first meters in this generation, multiple chips will be used to provide all the functions. However as the utilities try to drive down the cost, the component/meter suppliers will further integrate the components
At the heart of the smart meter is a low-power microcontroller coupled with an AFE. In an electricity meter, the AFE senses the current and voltage, converts the sensed values into digital form, and then sends the digital values to the microcontroller, which processes the data, stores the reading in local memory, displays the information on a small LCD screen, and on a regular schedule, uploads the data to the utility via a communications interface (Figure 1). For applications in gas or water consumption metering, extremely low power consumption will be an additional requirement since the meters may have to be battery powered and that battery will have to last several years. Or, some type of energy harvesting power source may be used to eliminate the battery.
Figure 1: A typical secure smart electricity meter leverages the VaultIC460 from INSIDE Secure to provide data security and tamper protection. The meter also contains an analog front end to sense the power usage, a secure microcontroller to process and display the collected data, and a communications interface to send the data back to the utility company.
Another important aspect of smart meter design is protecting the meter from tampering – there are many markets around the world where utility theft accounts for a significant portion of total usage. By incorporating various sensing schemes that detect if the meter case is opened, or a probe inserted, or a strong magnet brought nearby, or some other tampering approach, the meter can send a message back to the utility or even lock out the customer until a service technician comes out to determine the actual event that triggered the tamper warning. Such an approach can help the utilities to exert better control and reduce unmetered losses.
To design a meter, the best way to start would be to define a common platform that can be used across multiple applications and regions with just a few minor variations. Then, determine the amount of computational horsepower the internal microcontroller (MCU) will need to perform all the tasks. There are many off-the-shelf highly-integrated MCUs that can handle the task, but when the low-power-consumption constraint and data-encryption requirements are added to the mix, the choice narrows considerably. Of course there is always the option of crafting a dedicated system-on-a-chip (SoC) that is tuned for the electronic-meter application, but the cost and development time may be an issue for that approach. However, the final solution could lower overall system cost by eliminating many of the discrete components.
Although various microcontroller vendors have MCUs that include on-chip analog-to-digital converters (ADCs), the signal capture and conversion requirements often lead to the use of a separate analog-front-end chip. Such chips are designed to sense the usage (electricity flow, gas flow, water flow, and convert the sensor output into digital form so that the consumption data can be analyzed. For instance, in an electric meter, a single-phase or polyphase front end can incorporate many advanced power-monitoring features such as power factors, vector sum, and harmonic components. Metering accuracy and electric fast transient (EFT) response are critical requirements for electric meter designs.
Attacks: The State of the Art
When implementing the system hardware, designers have to consider the various ways someone can hack into the system. There are typically four approaches to accessing the system. They include:
Eavesdropping – hackers can monitor the analog characteristics of all supply and interface connections and any other electromagnetic radiation produced by the processor during normal operation.
Software attacks — the normal processor communication interface can be used to try to exploit security vulnerabilities found in the data-communication protocols, cryptographic algorithms, and other aspects of the system.
Fault generation – by varying timing and voltage levels hackers can create abnormal operating conditions that will cause the processor to malfunction and enter a state that permits access to secure portions of the system. Additionally, exposing the chip surface to laser light can also leverage the natural photoelectric effect of the circuitry to generate faults. Once the chip surface is exposed, the laser light is the most difficult technique to counter. However, the use of a laser might more appropriately fit in the next category which covers invasive techniques since the chip surface must be exposed.
Microprobing – this approach requires direct access to the chip surface so that physical probes can inject signals, capture data, manipulate registers, and otherwise interfere with the system operation to access the secure information.
Microprobing is an invasive attack that requires sophisticated equipment to access on-chip circuitry and typically requires a long time to gain access, while destroying the circuit packaging, and even the circuit itself. It is also a fairly expensive challenge and thus it is usually used only if the payback will be worth the up-front expense to reverse-engineer a portion of the chip or the entire chip.
The other three attack approaches are non-invasive attacks and can typically be reproduced very quickly after the initial solution since no physical intrusion to the circuitry is required. The attacked circuits are not physically damaged and the equipment used in the attack is relatively simple and low cost.
By using a combination of monitoring normal operation and operation during faults, differential power analysis (DPA) is a popular hacking approach that allows hackers to determine the software execution, and circuit designs should include various countermeasures to thwart such analysis.
Overview of Differential Power Analysis
DPA is an attack approach using statistical analysis discovered by researchers at Cryptography Research (now a division of Rambus Inc.). It allows cryptanalysts to extract the secret keys and get around the security embedded in various ICs and tamper-resistant devices by analyzing the power consumption of the circuits. (for a short video on DPA, go to https://www.cryptography.com/technology/dpa/dpa-video.html.) A less-complex form, referred to as simple power analysis (SPA) does not use the statistical computations. Both SPA and DPA attacks are non-invasive. The attacks can also be automated and performed without knowledge of the target circuit.
Countering the SPA and DPA attacks can be done during system or chip design by reducing the power consumption variation that typically exists between each software or hardware operation. Thus, by “leveling” the power consumption, the SPA and DPA schemes can’t determine what operation is taking place, and thus can’t extract any useful information. One approach to leveling the power is to add different types of noise into the power consumption measurements, thus obfuscating the true power consumption. Additionally, scrambling various data bus and address lines during chip design can also obfuscate the true power consumption.
Since cryptographic code includes lots of bitwise arithmetic functions, an analysis of the code for constants and sequences of mnemonics can give hackers an indication of the type of cryptographic algorithm used. By applying the statistical analysis to the power fluctuations during code execution, the instruction sequence could be reconstructed. Thus the need to hide the operations becomes a major concern.
Randomizing techniques can also be incorporated into the algorithms so that the data manipulated in the system appears more random, but can be reconstructed to produce the correct result. If the system allows the cryptographic protocols to be modified, then additional countermeasures can be added by modifying the protocols to continually refresh and update the secret information during the life of the system.
Basically, one can apply an old analogy – if you think of security as a chain, then the chain is only as good as its weakest link (Security Protocolsßà Cryptography ßà Key Storage). Each area must be analyzed and protected against incursions.
In the physical design of the chips in the system, circuit and layout approaches should be employed to prevent reverse engineering of the chips that would allow hackers to reconstruct the circuit and analyze the data manipulations. Simple approaches such as scrambling the on-chip data buses and memory address lines are a good starting point. Additional schemes might include encrypting the security key typically stored in the microcontroller or dedicated security controller.
Once strong cryptography is used, key storage becomes weakest link. Additionally, many systems may store multiple copies of the secret keys in various locations that hackers might gain access to. Thus to eliminate this avenue of attack, secret keys can be stored:
1) Online in a central server (but expensive setup, and long response times)
2) Semi-online (system received the key(s) at boot time, with the keys often held in DRAM during runtime – a poor option since the DRAM could be monitored.
3) Offline where the key copy is securely stored
In general, secret keys should be different for every user (however this would require many different keys, and that infers that the key generation circuitry should be scalable). The keys should also be immediately accessible (this contradicts the first point and requires a small number of keys.). The best alternative would be to derive the keys for the users from a master key, with the master stored in a form of “key vault.” This would grant business continuity in case of a hack.
Non-invasive attacks can end up being particularly dangerous since the owner of the compromised system might not notice that the secret keys were stolen, and thus may not act fast enough to invalidate the compromised key before it is inappropriately used. Secondly, non-invasive attacks are not very obvious since the necessary equipment (e.g., a small DSP board with dedicated analysis software) can usually be produced for moderately low cost and could readily be updated with new analysis algorithms.
Generating Fault Attacks
In a glitch attack, the hacker will deliberately try to generate a malfunction that causes one or more logic elements in a circuit to flip into an incorrect state. When that happens the hacker could attempt to replace a single critical processor instruction with an almost arbitrary different instruction. Glitches can also be used to corrupt data values as data is transferred between registers and memory.
There are four approaches for creating fairly reliable malfunctions that would have an impact on only a few machine cycles in a secure processor: external electrical field transients, clock-signal transients, power-supply transients, and laser light on the exposed chip surface. Of key concern are instructions that an attacker might want to replace with glitches — conditional jumps or the test instructions preceding them.
The glitches can create a window of vulnerability in the processing stages of many security applications. The vulnerability then allows the hacker to bypass cryptographic barriers by preventing the execution of the code that warns the system that an authentication attempt was unsuccessful.
Clock-signal glitches are currently the simplest and most practical ones glitches to generate. The approach would be to add some clock like glitches to temporarily increase the clock frequency for one or more half cycles, such that some flipflops would attempt to sample their input before the new state has reached them. Some system vendors claim their systems include high-frequency detectors in their clock-signal processing logic. However, these detectors can be circumvented by carefully selecting the duty cycles of the clock signal during the glitch. To minimize the system compromise, designers can insert random time delays between any observable reaction and critical operations that might be subject to an attack. One solution to generate the internal clock signal might be to create a random bit-sequence generator that is fed by an external clock.
For invasive tampering detection, Zeroization mechanisms can erase secrets when tampering is detected. Zeroization is thus a highly-effective tampering protection approach for larger security modules that can afford to store secrets in battery-backed SRAM.
A buffer overflow attack is one of the most serious software security exploits. More than 50% of today’s widely exploited vulnerabilities are caused by buffer overflow and the ratio is increasing over time. Such overflow attacks cause serious security problems to special purpose embedded systems as well as general-purpose systems. With more embedded systems networked, it becomes an important research problem to defend embedded systems against buffer overflow attacks. An effective solution to protect embedded systems against buffer overflow attacks must contain two factors:
- It must provide complete protection and the requirements and rules must be simple so third-party software developers can easily follow.
- It must provide an efficient checking mechanism so system integrators can easily check whether a component has been protected or not. Since the source code of some components may not be available for system integrators, the security checking must be able to be performed even without the knowledge of source code.
Tampering can take many forms, and it is not always a hacker – even service personnel can access the meter and compromise the data. In fact, about 25% of all reported data security breaches are the result of malicious insider activity. For example, during meter maintenance when diagnostic tools are connected to the meter to log, fix, or update the meter software, the service person can access the secure data. To prevent that, human intervention must be locked out via the security engine to eliminate the possibility of data manipulation or the installation of malicious modifications.
As mentioned earlier, the utility networks require security and higher-layer interoperability as defined in ANSI C12.19 to ensure the various Smart Grid subsystems function as a secure network of networks. There are additional technologies in development to help ensure communications between networks will be reliable and secure. Currently many systems employ established algorithms such as AES and Elliptic Curve. In the future, the 128-bit encryption will probably be replaced by 256-bit schemes for a higher level of security in the utilities’ networks. Standards such as ZigBee Smart Energy 2 and 802.16 WiMAX call for that level of security. For a list of standards being developed for the U.S. Smart Grid, go to https://smartgrid.ieee.org/standards/ieee-smartgrid-standards-in-development.
Combining both hardware and software security is the foundation to build trusted execution environment enabling trusted communications and functionality extensions. One example of industry efforts to define trusted systems is a UK project named Hydra which is implementing these solutions on a smart meter to offer added value services such as Telecare. Hydra’s exemplar application is telehealth, which delivers weight and blood pressure results taken in the home delivered directly to a patient’s personal health portal or clinician with secure end-to-end data transfers. By addressing the technical problems for telehealth data transfers Hydra will help solve them for other value-added services, including home energy management, water, home security, home automation and others. Hydra is an example of a future application and service for the smart grid.
Sidebar: Overview of the VaultIC
In any system design, the more you can integrate on one chip, the less prone the system would be to tampering. Further, in smart meter designs, which also require low power consumption and customer security, a highly integrated solution for security is a strong requirement. The VaultIC4XX family from Inside Secure is one of several integrated solutions that provide secure key storage, tamper sensing, hardware triple DES and AES encryption acceleration and many other features to keep systems secure. Additional security features include power, frequency and temperature protection logic, logical scrambling on program data and addresses, power analysis countermeasures, and memory accesses controlled by a supervisor mode (see the Figure A).
With these on-chip hardware acceleration engines the VaultIC4xx series can handle DES/3DES algorithms as well as AES 128/192/256-bit algorithms, RSA algorithms up to 4096 bits, DSA algorithms up to 2048 bits, and Elliptic Curve algorithms up to 384 bits. The security features allow the controllers to provide FIPS 140-2 identity-based authentication using password, Secure Channel Protocol (SCP02/SCP03) or Microsoft’s minicard driver strong authentication.
Designed to keep its memory contents secure and avoid leaking information during code execution, the VaultIC4xx controllers include voltage, frequency and temperature detectors, illegal code execution prevention, tampering monitors and protection against side channel attacks and probing. The chips can detect tampering attempts and destroy sensitive data on such events, thus avoiding data confidentiality being compromised.
Figure A: A highly-integrated system-on-a-chip, the VaultIC4xx solution includes many acceleration engines for multiple crypto algorithms as well as an 8/16-bit RSIC processor core and lots of on-chip storage – up to 128kbytes of reprogrammable EEPROM.