Skip to main content
SpringerLink
Log in

Hardware-Layer Intelligence Collection for Smart Grid Embedded Systems

  • Published:
Journal of Hardware and Systems Security Aims and scope Submit manuscript

Abstract

Smart grids include a variety of microprocessor-based embedded systems, interconnected with communication technologies. In this interaction, hardware is the lower level of abstraction. Insecure and unprotected hardware design of smart grid devices enable system operation compromise, eventually leading to undesirable and often severe consequences. In this paper, we discuss how the hardware of grid equipment can be used to collect intelligence utilized towards beneficial or malicious purposes. We consider different access scenarios and attacker capabilities as well as equipment location in the grid. The outcome of “hardware hacking” is examined in both device and grid operation levels. Finally, we present hardware hardening techniques, aiming to make components attack-resistant and reduce their vulnerability surface.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

Notes

  1. In cryptography, zeroization is the method of erasing sensitive information such as cryptographic keys and critical memory from a cryptographic module to prevent their disclosure if the equipment is tampered.

References

  1. Electric Power Research Institute (EPRI) (2016) Security architecture methodology for the electric sector, version 2.0 [Online]: https://www.epri.com/#/pages/product/000000003002007887/

  2. Leszczyna R, Egozcue E, Tarrafeta L, Villar VF, Estremera R, Alonso J (2011) Protecting industrial control systems-recommendations for europe and member states. Technical report, European Union Agency for Network and Information Security (ENISA)

  3. Beresford D (2011) The sauce of utter pwnage. [Online]: http://thesauceofutterpwnage.blogspot.com/

  4. McLaughlin S, Konstantinou C, Wang X, Davi L, Sadeghi A-R, Maniatakos M, Karri R (2016) The cybersecurity landscape in industrial control systems. Proc IEEE 104(5):1039–1057

    Article  Google Scholar 

  5. Bloomberg Businessweek (2018) The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies). [Online]: https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

  6. Karri R, Rajendran J, Rosenfeld K, Tehranipoor M (2010) Trustworthy hardware: identifying and classifying hardware trojans. Computer 43(10):39–46

    Article  Google Scholar 

  7. Konstantinou C, Keliris A, Maniatakos M (2016) Taxonomy of firmware trojans in smart grid devices. In: Power and energy society general meeting (PESGM), 2016. IEEE, pp 1–5

  8. Lee R, Assante M, Conway T (2016) Analysis of the cyber attack on the ukrainian power grid. SANS Industrial Control Systems

  9. SANS Industrial Control Systems Security Blog (2016) How do you say Ground Hog Day in Ukrainian? [Online]: https://ics.sans.org/blog/2016/12/20/how-do-you-say-ground-hog-day-in-ukrainian

  10. NIST, US (2010) Guidelines for smart grid cyber security. NIST IR-7628

  11. Konstantinou C, Maniatakos M (2016) A case study on implementing false data injection attacks against nonlinear state estimation. In: Proceedings of the 2Nd ACM Workshop on Cyber-Physical Systems Security and Privacy, CPS-SPC’16. ACM, New York, pp 81–92

  12. ICS-CERT, U.S (2016) DHS. [Online]: https://ics-cert.us-cert.gov/

  13. Grand J (2004) Advanced hardware hacking techniques. DEFCON 12:59

    Google Scholar 

  14. Han Y, Etigowni S, Liu H, Zonouz S, Petropulu A (2017) Watch me, but don’t touch me! contactless control flow monitoring via electromagnetic emanations. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM, pp 1095–1108

  15. United States Army (2018) Army Nuclear Power Program (ANPP) [Online]: https://en.wikipedia.org/wiki/Army_Nuclear_Power_Program

  16. Defense Information Systems Agency (2018) Department of Defense Information Network - Approved Products List) [Online]: http://www.disa.mil/network-services/ucco

  17. Konstantinou C, Maniatakos M (2015) Impact of firmware modification attacks on power systems field devices. In: 2015 IEEE international conference on Smart grid communications (smartgridcomm). IEEE, pp 283–288

  18. Wang X, Konstantinou C, Maniatakos M, Confirm R. Karri. (2015) Detecting firmware modifications in embedded systems using hardware performance counters. In: Proceedings of the IEEE/ACM International Conference on Computer-Aided Design. IEEE Press, pp 544–551

  19. Vuagnoux M, Pasini S (2009) Compromising electromagnetic emanations of wired and wireless keyboards. In: USENIX Security symposium, pp 1–16

  20. Tsoutsos N, Maniatakos M (2014) Fabrication attacks: Zero-overhead malicious modifications enabling modern microprocessor privilege escalation. IEEE Trans Emerg Top Comput 2(1):81–93

    Article  Google Scholar 

  21. Schweitzer Engineering Laboratories (2018) SEL-3355, Rack-mount Rugged Computer) [Online]: https://selinc.com/products/3355/

  22. Jiang R, Lu R, Wang Y, Luo J, Shen C, Shen XS (2014) Energy-theft detection issues for advanced metering infrastructure in smart grid. Tsinghua Sci Technol 19(2):105–120

    Article  Google Scholar 

  23. Rahman M, Oo AMT (2013) Smart meter. In: Ali ABMS (ed) Smart grids: opportunities, developments, and trends. Springer, London, pp 109–133. https://doi.org/10.1007/978-1-4471-5210-1_5

  24. Anderson R, Barton C, Böhme R, Clayton R, Michel JG Van E, Levi M, Moore T, Savage S (2013) Measuring the cost of cybercrime. In: The economics of information security and privacy. Springer, pp 265–300

  25. Abraham DG, Dolan GM, Double GP, Stevens JV (1991) Transaction security system. IBM Syst J 30(2):206–229

    Article  Google Scholar 

  26. Liu X, Peidong Z, Yan Z, Kan C (2015) A collaborative intrusion detection mechanism against false data injection attack in advanced metering infrastructure. IEEE Trans Smart Grid 6(5):2435–2443

    Article  Google Scholar 

  27. Helfmeier C, Nedospasov D, Tarnovsky C, Krissler JS, Boit C, Seifert J-P (2013) Breaking and entering through the silicon. In: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, pp 733–744

  28. Anderson R, Kuhn M (1998) Low cost attacks on tamper resistant devices. In: Security protocols. Springer, pp 125–136

  29. Skorobogatov S (2005) Semi-invasive attacks: a new approach to hardware security analysis. PhD thesis, Citeseer

  30. Tuyls P, Schrijen G-J, Škorić B, Van Geloven J, Verhaegh N, Wolters R (2006) Read-proof hardware from protective coatings. In: International workshop on cryptographic hardware and embedded systems. Springer, pp 369–383

  31. Ma X, Yang DG, Zhang GQ (2012) Decapsulation methods for cu interconnection packages. In: 2012 13th international conference on Electronic packaging technology and high density packaging (ICEPT-HDP). IEEE, pp 1387–1391

  32. t4f (2018) Ultra-low cost ic decapsulation [Online]: http://www.t4f.org/articles/ultra-low-cost-ic-decapsulation/

  33. Taylor C (2013) The Common Methods of Hardware Hacking. [Online]: https://www.sparkfun.com/news/1314

  34. Labs MWR (2012) Hacking Embedded Devices: UARTConsoles. [Online]: https://labs.mwrinfosecurity.com/blog/hacking-embedded-devices-uart-consoles/

  35. Grand J (2013) Jtagulator: assisted discovery of on-chip debug interfaces. In: 21St defcon conference, Las Vegas, pp 1–88

  36. Heffner C (2012) Reverse Engineering Serial Ports. [Online]: http://www.devttys0.com/2012/11/reverse-engineering-serial-ports/ http://www.devttys0.com/2012/11/reverse-engineering-serial-ports/

  37. Huang A (2013) Bunnie’s adventures hacking the Xbox). [Online]: http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html

  38. Breeuwsma M, De Jongh M, Klaver C, Van Der Knijff R, Roeloffs M (2007) Forensic data recovery from flash memory. Small Scale Digit Device Forensic J 1(1):1–17

    Google Scholar 

  39. Barenghi A, Breveglieri L, Koren I, Naccache D (2012) Fault injection attacks on cryptographic devices Theory, practice, and countermeasures. Proc IEEE 100(11):3056–3076

    Article  Google Scholar 

  40. Govindavajhala S, Appel A (2003) Using memory errors to attack a virtual machine. In: 2003. Proceedings. 2003 symposium on Security and privacy. IEEE, pp 154–165

  41. Schmidt J. -M., Hutter M (2007) Optical and em fault-attacks on crt-based rsa: Concrete results. na

  42. Schmidt J-M, Hutter M, Plos T (2009) Optical fault attacks on aes A threat in violet. In: 2009 workshop on Fault diagnosis and tolerance in cryptography (FDTC). IEEE, pp 13–22

  43. Le T, Canovas C, Clédiere J (2008) An overview of side channel analysis attacks. In: Proceedings of the 2008 ACM symposium on Information, computer and communications security. ACM, pp 33–43

  44. Kocher P, Jaffe J, Jun B (1999) Differential power analysis. In: Advances in cryptology-CRYPTO’99. Springer, pp 789–789

  45. Grand J (2009) Hardware is the new software. presentation at Hack In The Box Security Conference (HITBSecConf)

  46. Bunnie & Xobs (2013) The Exploration and Exploitation of an SD Memory Card. [Online]: http://bunniefoo.com/bunnie/sdcard-30c3-pub.pdf

  47. Kingpin K, Mudge M (2001) Security analysis of the palm operating system and its weaknesses against malicious code threats. In: Proceedings of the 10th conference on USENIX Security Symposium-Volume 10, pp 11

  48. John A (2001) Vulnerability assessment of the transportation infrastructure relying on the global positioning system. Volpe National Transportation Systems Center, Technical Report

  49. Humphreys T, Ledvina B, Psiaki M, O’Hanlon B, Kintner PM (2008) Assessing the spoofing threat Development of a portable gps civilian spoofer. In: Radionavigation laboratory conference proceedings

  50. Humphreys T (2012) Statement on the vulnerability of civil unmanned aerial vehicles and other systems to civil GPS spoofing. University of Texas at Austin

  51. Bhatti J, Humphreys T (2016) Hostile control of ships via false GPS signals: Demonstration and detection. Navigation

  52. Schmidt D, Radke K, Camtepe S, Foo E, Ren M (2016) A survey and analysis of the gnss spoofing threat and countermeasures. ACM Comput Surv (CSUR) 48(4):64

    Article  Google Scholar 

  53. Jiang J-A, Yang J-Z, Lin Y-H, Liu C-W, Ma J-C (2000) An adaptive pmu based fault detection/location technique for transmission lines. i. theory and algorithms. IEEE Trans Power Deliv 15(2):486–493

    Article  Google Scholar 

  54. Jiang X, Zhang J, Harding B, Makela JJ, Domı AD (2013) Spoofing gps receiver clock offset of phasor measurement units. IEEE Trans Power Syst 28(3):3253–3262

    Article  Google Scholar 

  55. Zhang Z, Gong S, Dimitrovski A, Li H (2013) Time synchronization attack in smart grid impact and analysis. IEEE Trans Smart Grid 4(1):87–98

    Article  Google Scholar 

  56. Konstantinou C, Sazos M, Musleh A, Keliris A, Al-Durra A, Maniatakos M (2017) GPS spoofing effect on phase angle monitoring and control in a real-time digital simulator-based hardware-in-the-loop environment. IET Cyber-Phys Syst Theory Appl 2(4):180–187

    Article  Google Scholar 

  57. Loughry J, Umphress D (2002) Information leakage from optical emanations. ACM Trans Inf Syst Secur (TISSEC) 5(3):262–289

    Article  Google Scholar 

  58. Kuhn M (2002) Optical time-domain eavesdropping risks of crt displays. In: 2002. Proceedings. 2002 IEEE symposium on Security and privacy, pp 3–18

  59. Konstantinou C, Sazos M, Maniatakos M (2016) Attacking the smart grid using public information. In: 2016 17th latin-american Test symposium (LATS). IEEE, pp 105–110

  60. Subramanian V (2013) Proximity-based attacks in wireless sensor networks. PhD thesis, Georgia Institute of Technology

  61. Galeyev B (1996) Special section: Leon theremin, pioneer of electronic art. Leonardo Music Journal, MIT, USA

  62. Glinsky A (2000) Theremin: ether music and espionage. University of Illinois Press

  63. Mo Y, Sinopoli B (2009) Secure control against replay attacks. In: 2009. Allerton 2009. 47th annual allerton conference on Communication, control, and computing. IEEE, pp 911–918

  64. Pasqualetti F, Dörfler F, Bullo F (2011) Cyber-physical attacks in power networks models, fundamental limitations and monitor design. In: 2011 50th IEEE conference on Decision and control and european control conference (CDC-ECC). IEEE, pp 2195–2201

  65. Pan S, Morris T, Adhikari U (2015) Developing a hybrid intrusion detection system using data mining for power systems. IEEE Trans Smart Grid 6(6):3104–3113

    Article  Google Scholar 

  66. Alcaraz C, Roman R, Najera P, Lopez J (2013) Security of industrial sensor network-based remote substations in the context of the internet of things. Ad Hoc Netw 11(3):1091–1104

    Article  Google Scholar 

  67. Zander S, Armitage G, Branch P (2007) A survey of covert channels and countermeasures in computer network protocols. IEEE Commun Surv Tutorials 9(3):44–57

    Article  Google Scholar 

  68. Cabuk S (2006) Network covert channels: design, analysis, detection, and elimination. Purdue University

  69. Moskowitz I, Kang M (1994) Covert channels-here to stay?. In: Reliability, fault tolerance, concurrency and real time security. Proceedings of the 9th Annual Conference on Computer Assurance-COMPASS’94 Safety. IEEE, pp 235–243

  70. Parfomak P (2014) Physical security of the us power grid: high-voltage transformer substations. Congressional Research Service

  71. Foreign Policy (2013) ‘Military-style’ Raid on California Power Station Spooks U.S.). [Online]: http://foreignpolicy.com/2013/12/27/military-style-raid-on-california-power-station-spooks-u-s/

  72. ICS-CERT, U.S. DHS (2016) KACO HMI Hard-coded Password. [Online]: https://ics-cert.us-cert.gov/alerts/ICS-ALERT-15-224-01

  73. ICS-CERT, U.S. DHS (2017) Moxa NPort Device Vulnerabilities. [Online]: https://ics-cert.us-cert.gov/advisories/ICSA-16-336-02

  74. IEEE (2013) IEEE Standard for Test Access Port and Boundary-Scan Architecture. IEEE Std 1149.1-2013, (Revision of IEEE Std 1149.1-2001), pp 1–444

  75. Breeuwsma M (2006) Forensic imaging of embedded systems using jtag (boundary-scan). Digit Investig 3 (1):32–42

    Article  Google Scholar 

  76. Russell R (2000) Hack proofing your network. Syngress

  77. Grand J (2004) Understanding hardware security. Black Hat Japan

  78. Caddy T (2011) Tamper Detection. Springer US, Boston, pp 1277–1277

  79. Zaddach J, Costin A (2013) Embedded devices security and firmware reverse engineering. Black-Hat USA

  80. Kocher P (1996) Timing attacks on implementations of diffie-hellman, rsa, dss, and other systems. In: Advances in cryptology-CRYPTO’96, pp 104–113

  81. Sze S (1985) Physics and technology. Wiley, New York

    Google Scholar 

  82. Gjendemsjø M (2013) Creating a weapon of mass disruption: attacking programmable logic controllers Institutt for datateknikk og informasjonsvitenskap

  83. North american electric reliability corporation (NERC) (2018) NERC-CIP Critical infrastructure protection

  84. North American Electric Reliability Corporation (NERC) (2012) Extended loss of GPS Impact on Reliability

  85. Martínez E, Juárez N, Guzmán A, Zweigle G, León J Using synchronized phasor angle difference for wide-area protection and control. In: proceedings of the 33rd Annual Western Protective Relay Conference, Spokane, WA

  86. Keliris A, Konstantinou C, Maniatakos M (2017) White Paper: GE Multilin SR Protective Relays Passcode Vulnerability. [Online]:https://www.blackhat.com/docs/us-17/thursday/us-17-Keliris-And-Then-The-Script-Kiddie-Said-Let-There-Be-No-Light-Are-Cyberattacks-On-The-Power-Grid-Limited-To-Nation-State-Actors-wp.pdf https://www.blackhat.com/docs/us-17/thursday/us-17-Keliris-And-Then-The-Script-Kiddie-Said-Let-There-Be-No-Light-Are-Cyberattacks-On-The-Power-Grid-Limited-To-Nation-State-Actors-wp.pdf

  87. Konstantinou C, Sazos M, Maniatakos M (2019) FLEP-SGS2: A Flexible and Low-cost Evaluation Platform for Smart Grid Systems Security. In: 2019 IEEE PES Innovative smart grid technologies (ISGT). IEEE, pp 1–5

  88. Brumley D, Boneh D (2005) Remote timing attacks are practical. Comput Netw 48(5):701–716

    Article  Google Scholar 

  89. Executive Office of the President of the U.S (2011) A Policy Framework for the 21st Century Grid: Enabling Our Secure Energy Future

  90. Swanson M (2001) Security self-assessment guide for information technology system, vol 800. US Department of Commerce, Computer Security Division, Information Technology, National Institute of Standards and Technology

  91. United States Government Accountability Office (2011) GAO-11-117 Electric grid modernization

  92. MIT (2011) The Future of the Electric Grid

  93. ICS-CERT (2011) Cross-Sector Roadmap for Cybersecurity of Control Systems

  94. Abadi M, Mihai B, Ulfar E, Jay L (2005) Control-flow integrity. In: Proceedings of the 12th ACM conference on Computer and communications security, pp 340–353

  95. Davi L, Dmitrienko A, Egele M, Fischer T, Holz T, Hund R, Nürnberger S, Sadeghi A-R (2012) Mocfi: A framework to mitigate control-flow attacks on smartphones. In: NDSS, vol 26, pp 27–40

  96. Costan V, Devadas S (2016) Intel sgx explained. IACR Cryptol ePrint Arch 2016:86

    Google Scholar 

  97. Alves T, Felton D (2004) Trustzone: Integrated hardware and software security. ARM White Paper 3 (4):18–24

    Google Scholar 

  98. Zhang F, Zhang H (2016) Sok: A study of using hardware-assisted isolated execution environments for security. In: Proceedings of the Hardware and Architectural Support for Security and Privacy 2016. ACM, pp 3

  99. Coreboot (2015) [Online]: http://www.coreboot.org/

  100. Seabios (2015) [Online]: http://www.seabios.org/SeaBIOS

  101. Intel (2008) Intel Active Management Technology. [Online]: https://www.intel.com/content/www/us/en/architecture-and-technology/intel-active-management-technology.html

  102. Intel (2016) Intel AMT and the Intel ME. [Online]: https://software.intel.com/en-us/blogs/2011/12/14/intelr-amt-and-the-intelr-me

  103. AMD (2013) AMD Secure Technology. [Online]: https://www.amd.com/en/technologies/security

  104. Wang X, Konstantinou C, Maniatakos M, Karri R, Lee S, Robison P, Stergiou P, Kim S (2016) Malicious firmware detection with hardware performance counters. IEEE Trans Multi-Scale Comput Syst 2(3):160–173

    Article  Google Scholar 

  105. Patel N, Sasan A, Homayoun H (2017) Analyzing hardware based malware detectors. In: Proceedings of the 54th Annual Design Automation Conference 2017. ACM, pp 25

  106. Vasiliadis G, Antonatos S, Polychronakis M, Markatos E, Ioannidis S (2008) Gnort: high performance network intrusion detection using graphics processors. In: International workshop on recent advances in intrusion detection. Springer, pp 116–134

  107. Yoo R, Hughes C, Lai K, Rajwar R (2013) Performance evaluation of intel®; transactional synchronization extensions for high-performance computing. In: Proceedings of the International Conference on High Performance Computing, Networking, Storage and Analysis. ACM, pp 19

  108. Konstantinou C, Chielle E, Maniatakos M (2018) Phylax: Snapshot-based profiling of real-time embedded devices via jtag interface. In: Design, automation & test in europe conference & exhibition (DATE), 2018. IEEE, pp 869–872

  109. El Shobaki M (2002) On-chip monitoring of single-and multiprocessor hardware real-time operating systems. In: Proceedings of the 8th international conference on real-time computing systems and applications (RTCSA)

  110. Weingart S (2000) Physical security devices for computer subsystems: a survey of attacks and defenses. In: International workshop on cryptographic hardware and embedded systems. Springer, pp 302–317

  111. Osborn J, Challener D (2013) Trusted platform module evolution. Johns Hopkins APL Techn Dig 32 (2):536

    Google Scholar 

  112. Moore S, Anderson R, Mullins R, Taylor G, Fournier J (2003) Balanced self-checking asynchronous logic for smart card applications. Microprocess Microsyst 27(9):421–430

    Article  Google Scholar 

  113. Tiri K, Akmal M, Verbauwhede I (2002) A dynamic and differential cmos logic with signal independent power consumption to withstand differential power analysis on smart cards. In: 2002. ESSCIRC 2002. Proceedings of the 28th European Solid-State Circuits Conference. IEEE, pp 403–406

  114. Stanojlović M, Petković P (2010) Strategies against side-channel-attack. In: Proceedings of the Small Systems Simulation Symposium, pp 86–89

  115. Lee J, Tebranipoor M, Plusquellic J (2006) A low-cost solution for protecting ips against scan-based side-channel attacks. In: 2006. Proceedings. 24th IEEE VLSI Test symposium. IEEE, pp 6

  116. Rajendran J, Sam M, Sinanoglu O, Karri R (2013) Security analysis of integrated circuit camouflaging. In: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, pp 709–720

Download references

Author information

Authors and Affiliations

  1. FAMU-FSU College of Engineering, Center for Advanced Power Systems, Florida State University, Tallahassee, FL, USA

    Charalambos Konstantinou

  2. Center for Cyber Security, New York University Abu Dhabi, Abu Dhabi, UAE

    Michail Maniatakos

Authors
  1. Charalambos Konstantinou
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Michail Maniatakos
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Charalambos Konstantinou.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Konstantinou, C., Maniatakos, M. Hardware-Layer Intelligence Collection for Smart Grid Embedded Systems. J Hardw Syst Secur 3, 132–146 (2019). https://doi.org/10.1007/s41635-018-0063-0

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s41635-018-0063-0

Keywords

Search

Navigation