Menu

IoT FEATURE NEWS

NYU Security Researchers at Black Hat Reveal How to Protect the Power Grid

By Ken Briodagh July 27, 2017

Cyberattacks against power grids and other critical infrastructure systems have long been considered a threat limited to nation-states due to the sophistication and resources necessary to mount them, and the increased implementations of IoT into the Smart grid. At the Black Hat USA 2017 conference in Las Vegas, a team of New York University researchers will challenge that notion by disclosing vulnerabilities in a component that combined with publicly available information provide sufficient information to model an advanced, persistent threat to the electrical grid.

Michail Maniatakos,  a research professor at the NYU Tandon School of Engineering and an assistant professor of electrical and computer engineering at NYU Abu Dhabi, will detail the discovery of a security flaw in the authentication mechanism of a legacy protective relay — a component that responds to changes in flow across the grid to isolate electrical faults. The vulnerability allows an attacker with local or remote access to extract and reverse-engineer the weakly encrypted and easily accessed passwords used to reprogram the relay's protective setpoints.

Maniatakos and his collaborators also will demonstrate how information about network topology and grid components may allow adversaries to create a model of the power system — information that can be used to pinpoint the most critical nodes of the system. Examples:

•           Some local energy commission meetings, disclosing critical power usage information, are available on YouTube.

•           Equipment suppliers market the sale of their critical equipment online, alerting potential adversaries to where their equipment is used.

•           The researchers were able to use Google Earth to track power lines.

•           The team was able to purchase the relay on eBay for about $1,000, and other equipment critical to the grid is also publicly available.

"It is essential that at each step, the energy industry considers the implications of their communication – disclosing information for the right reasons," Maniatakos said. "Some regulatory changes are clearly needed: We should never have been able to inexpensively purchase equipment critical to the power grid. But one of the most important lessons this study delivers is that cybersecurity must not be regarded as a simple issue of complying with regulations. It must be viewed as an integral element of design and operation."

The NYU researchers worked closely with GE, the manufacturer of the Multilin relay series, to release a patch to secure the vulnerability shortly after the NYU team disclosed the flaw to the company in 2016; they made only some of their findings public at Black Hat 2017 so that utilities and GE would have time to implement fixes. Their research is based on experiments in a laboratory setting, and their published findings neither instruct nor detail successful strategies for attacking existing infrastructure systems. Rather, the work highlights how such software vulnerabilities, along with publicly available yet sensitive information about the power grid, increases the potential for infrastructure attacks.

In addition to Maniatakos, the research team contributing to the Black Hat presentation includes NYU Tandon doctoral students Anastasis Keliris and Charalambos Konstantinou. Their findings will be published by Black Hat in a paper entitled GE Multilin SR Protective Relays Passcode Vulnerability. ICS-CERT (Industrial Control Systems Cyber Emergency Response Team), the U.S. cyber emergency response team, published the NYU-GE coordinated disclosure in April 2017.




Edited by Ken Briodagh

Editorial Director

SHARE THIS ARTICLE
Related Articles

IoT Zombie Apocalypse and Post-Quantum Crypto: A Q&A with Infineon's Steve Hanna

By: Paula Bernier    2/23/2018

Steve Hanna has seen it all. But one thing Infineon's senior principal has not seen - and doesn't want to see - is the IoT zombie apocalypse.

Read More

Sustainable Smart Cities and How Natalia Olson-Urtecho Leads with Passion

By: Cynthia S. Artin    2/23/2018

Natalia Olson-­Urtecho is a city planner by education, a technologist by life­long learning, and a visionary strategist in the brave new world of conn…

Read More

IoT Accelerators on the Rise

By: Ken Briodagh    2/22/2018

Everyone in the IoT is looking for the best way to grow the industry, while also finding partners that will help their own companies grow. At the mome…

Read More

IoT for The Aging: You're Never Too Old To Innovate

By: Special Guest    2/22/2018

In the digital era of smarter cities and smarter homes, one of the biggest potential markets for IoT solutions is enabling aging people to remain inde…

Read More

Haltian Delivers Devices and Data to Lindstrom Textile Company

By: Ken Briodagh    2/22/2018

Finnish Internet of Things (IoT) device manufacturer Haltian reportedly is supplying Lindström with more than 100,000 IoT devices and a managed IoT da…

Read More