“If someone is able to attack the system and give the impression that there is a high peak of demand, then they can impact the load balancing for energy supply on the smart grid, which may bring down whole or part of the system,” he explains.
As the smart grid is connected to the utility company, there is also a risk that the grid’s back-end systems could be infiltrated from any attack, says Contu.
Santamarta has demonstrated these vulnerabilities before, with both SCADA software and devices such as smart meters and programmable logic controllers (PLC).
“I discovered several vulnerabilities in a specific Ethernet/IP based PLC from [industrial solutions provider] Rockwell Automation that could be triggered by sending a specific sequence of packets,” he says. “These flaws could be used to either cause a permanent denial of service – meaning an operator had to physically access the device to recover it – or to load a ‘trojanised’ firmware instance that would give the attacker total control over the device.”
Although the original attack was tested against a specific model, it was found that it might affect other devices based on the Ethernet/IP protocol.
Another concern comes from “backdoors”: hidden accounts that allow the vendor to access systems without the need for the customer’s security details. These are usually test or development accounts that the original developers forgot to remove from their firmware or software – but could allow attackers in.
“By reverse engineering the firmware, it is possible to discover these vulnerabilities without physically possessing the device,” Santamarta says. He used this technique to expose Schneider Electric smart meters.
Last year, research firm Gartner claimed that the main issue with enterprises that have concerns about securing their ICSs effectively is a lack of a management focus on security.
Santamarta claims the best way to prevent an attack is to understand how the system can be attacked in the first place.
“You must know where the weaknesses exist before you can try to fix them,” he says. “A defence in-depth strategy is highly recommended.”
Gartner analyst Ruggero Contu adds that multiple approaches can be taken by an organisation to become as secure as possible.
“Make sure systems are patched up to date,” he says. “Perhaps deploy a security appliance to sit in front of the ICS, add anti-malware capabilities and if the ICS is critical then ban the use of USBs and other devices in the workplace.”