Navigant Research Blog

Honeypots Teach Us About Attackers

— April 11, 2014

Security researchers will try almost anything to find out who is attacking their clients and how.  One of their best-loved and most effective techniques is a honeypot.  First developed about a decade ago, a honeypot is a decoy system or network – a tempting target for attackers that is not really a target at all, but a trap.  The objective is to lure attackers into the honeypot and then watch how they work.  Attackers’ methods are almost like fingerprints; researchers who are familiar with a number of attackers can often identify the attackers simply by watching their step-by-step process of discovery through the honeypot.  Researchers do have other methods as well, such as tracing IP addresses or even fingerprinting the attackers’ browser – adding source code to the attackers’ browser that reveals more about their identity.

Attackers are, of course, aware that honeypots exist, so preparation of an effective honeypot must be extremely detailed.  To set up a honeypot requires a fair bit of planning to make the target look as realistic as possible.  Eventually, the attackers will realize that they’ve been had, so the objective is to keep them in the honeypot as long as possible to gather as much information as possible about their methods and their identity.

One security researcher described one of his honeypots in a talk at the SANS 9th Annual ICS Security Summit.  Kyle Wilhoit of Trend Micro described a scenario in which he set up juicy but fake targets on five continents and then watched them be attacked.   Each was a model of a control system for a small municipality water pump.  Connected directly to the Internet and with insufficient protection, this water pump looked like easy pickings, and it was attacked nearly 100 times.  Again, the attackers were not attacking an actual water pump but were instead sending commands to a simulation of a water pump – the honeypot.

Disturbing Motives

Perhaps most disturbing to me is that most of the attacks that Wilhoit reported were attempted sabotage, not data exfiltration.  Nearly all of my recent research indicates that large-scale persistent attacks against control networks have been data exfiltration for competitive advantage.  In this case, however, data exfiltration attempts were a minority of all attacks.  Even some well-known attack teams supported by hostile nation-states attempted to disable the water pump, not simply exfiltrate its data.  For me, this requires a rethink:  Is all that data exfiltration really just for competitive advantage or are attack plans being prepared?  As ever, only the attackers know, but this one project suggests that there may be more attack planning than has been assumed.

You might think that attackers seeing a control device connected directly to the Internet would say, “Nah, this is too good to be true.”  And then seeing a control device directly connected to the Internet with little or no security – “It just has to be fake, right?”  Sadly, no.  Attackers are accustomed to discovering real systems like this all day long – directly connected to the world and with no protection.

My conclusion is mixed.  Honeypots are an effective tool for learning about our adversaries.  Yet, honeypots work because the unprotected systems that they mimic are commonplace in our industry.

 

Cyber Security Community Finally Faces Reality

— April 8, 2014

It’s springtime, so the Navigant Research team is on the road again, speaking at conferences.  This spring’s cyber security conferences have confirmed what I’ve said in this blog for some time now:  the hype is over; the hard work is here to stay.

At SMi’s European Smart Grid Cyber and SCADA Security conference in London, traditionally a showplace for vendors to hawk their wares, there was a decidedly more technical focus this year.  Enel of Italy gave a detailed description on the various projects running in its lab in Pisa, describing how cyber security is integral to each.  It was inspiring to see cyber security integrated at the outset of a project, rather than after a bad audit.  Equally instructive was the description of Enel’s experimental area in Livorno, where many of the company’s new technologies first see public adoption.  Other speakers at this conference continued the technical thread, with topics such as descriptions of self-learning network anomaly detection, and traditional devices such as firewalls and intrusion detection that have been specifically reengineered for control networks.  The unmistakable message that I brought back from London: cyber security vendors have finally accepted that the utility industry is like no other.

Future at Risk

The SANS ICS Cyber Security Summit in Orlando, Florida offered similar but more technical fare.  Adam Crain and Chris Sistrunk described their eponymous vulnerabilities.  They have demonstrated how to disable a utility substation or control console via the serial protocol DNP3.  This is critical because DNP3, which is non-routable, had been previously considered immune to attack.  Another safe assumption bites the dust.  Eric Byres of Tofino Security gave a surprisingly accessible description of deep packet inspection in control networks – a topic normally best saved for researchers and PhDs.  There was also a fascinating Trend Micro report on a control network honeypot deployment, which will be the subject of my next blog.

The unifying theme at both conferences was that protecting control networks is hard work that is never really finished.  Our reports, including Industrial Control Systems Security, have been saying this for 4 years now.  Utility cyber security vendors are finally getting the message.  And to be fair, a few vendors have always understood.

Nonplussed

But challenges remain.  At both conferences, my remarks described the existential threat facing many utilities.  One U.S. utility CEO declares that the grid’s days are numberedThe Economist reports that European utilities have lost half a trillion euros of market cap since 2008.  Reactions to that news were often blank stares or utter confusion – as if the financial health of utilities has nothing to do with their deployment of cyber security.

This too must change.  Security vendors are not competing with each other, so much as they are wrestling with the future of the industry.  Just as understanding settles upon the community, the odds become daunting.

 

Nest Faces Lawsuit over Alleged Thermostat Flaws

— March 31, 2014

Nest Labs faces a new lawsuit brought by a dissatisfied Maryland customer who claims the Nest thermostat that he purchased is defective since the faceplate heats up and inaccurately measures a room’s actual temperature.  The suit, which seeks class action status, asks for more than $5 million on behalf of other Nest buyers.

The lawsuit was filed by Justin Darisse of Gaithersburg, Maryland and alleges Nest “increases costs because Nest heats up, which causes Nest’s temperature reading to be from 2 to 10 degrees higher than the actual ambient temperature in the surrounding room.”  The suit also alleges the company violates warranty and consumer protection laws.  Darisse also noted in his suit that he would have kept his $30 Honeywell thermostat had he known the Nest device, which retails for $250, would not help lower his energy bill.

Not the First Suit

Nest Labs, which is now owned by Google after a January acquisition, has declined to comment on the suit.  Nest is no stranger to lawsuits, though. There is a pending suit with Honeywell over alleged patent infringement and another patent infringement suit brought by BRK, maker of First Alert smoke alarms, related to Nest’s introduction of its Protect smoke alarm.

While the merits of this latest lawsuit will be debated for some time, the truth is that Nest and parent Google will need to fight the negative perceptions this suit is likely to generate, especially if it does attain class action status.

Mixed Bag

There is no question a Nest thermostat provides some very cool features: it has Wi-Fi to connect with a mobile device, and it learns the patterns of people in a home and can make adjustments automatically.  But my own experience has been mixed.  I installed one in my home last year to control my natural gas furnace, and so far, I have used the same number of Btus over the past 7 months as in the same months the year before.  And the installation was not easy, requiring me to hire an installer to come in after I spent many hours on my own and with a Nest tech via phone to no avail.  Also, two friends have had issues with the Nest thermostat they purchased.  One said his energy bill increased after installing his Nest thermostat.  The other also had trouble installing it by himself and later got so fed up after a software update went bad that he had it replaced with a more standard thermostat.

Now it looks like Nest could have some explaining to do in court. More to come on this, I’m sure.  And for more on the market for smart devices for energy management in the home, please sign up for Navigant Research’s webinar, “Home Energy Management,” on Tuesday, April 1 at 2:00 p.m. EDT.  To register, click here.

 

Utilities Boost Efficiency with Smart CVR

— March 18, 2014

Dynamically optimizing voltage levels via sophisticated smart grid technologies, smart grid conservation voltage reduction (CVR) continuously reduces energy consumption and demand during peak periods, when electricity prices are inflated and demand may exceed the available energy.  At American Electric Power (AEP) in Ohio, 17 circuits have already been equipped and tested with smart CVR capability, and the initial results were so promising that AEP Ohio is now doubling down on this technology.  Utilidata will deploy its advanced CVR solution on 40 more circuits at AEP Ohio.  Ram Sastry, director of distribution services support at AEP, is confident that smart CVR will give the company’s energy efficiency program a turbo boost.  Also in Ohio, Duke Energy aims to have a systemwide smart CVR deployment (a project called Integrated Volt/VAR Control, or IVVC) in full production by 2015 to reach the state’s energy efficiency and peak reduction targets over the next 10 years.  Duke Energy used a small portion of the $200 million the company received in Department of Energy (DOE) smart grid investment grants to help finance the CVR investments in Ohio, one of many states that now incorporate CVR as an energy efficiency resource.

Untapped Potential

The DOE investment grants, combined with companies’ matching investments, are expected to result in the installation and/or automation of about 18,500 capacitors nationwide between 2009 and 2014, according to a recent presentation from the DOE.  (Automated capacitors play an integral role in most smart CVR projects.)  This is a large sample set of automated capacitors, serving as a nationwide demonstration of smart CVR, spurring osmosis between utilities and capturing interest from the National Association of Regulatory Utility Commissioners.  Not all 18,500 automated capacitors are to be used for smart CVR, but even if they all were, that would represent only enough capacitors to populate a small fraction of all substations and feeder circuits in the United States.  In other words, there’s a large, untapped market for smart CVR.

Government smart grid funding is nearing its end, but manufacturers and vendors of smart grid equipment and CVR software solutions will soon see a nice boost from increased adoption of smart CVR outside of DOE-funded projects.  Navigant Research’s Conservation Voltage Reduction report analyzes the market for smart CVR in North America.  While the market is still forming, revenue from smart grid equipment and software products dedicated to CVR solutions is expected to reach $30 million to $40 million this year.  With an intention to meet efficiency targets, most major utilities are already piloting various CVR control schemes.  As more large-scale deployments are expected to ramp up over the next few years, smart CVR component sales are expected grow into a $100 million market annually by 2017.  Total utility spending associated with smart CVR, including planning, installation and systems integration costs, could easily be 2 to 3 times higher.

 

Blog Articles

Most Recent

By Date

Tags

Clean Transportation, Electric Vehicles, Energy Management, Energy Storage, Policy & Regulation, Renewable Energy, Smart Energy Practice, Smart Grid Practice, Smart Transportation Practice, Utility Innovations

By Author


{"userID":"","pageName":"Smart Utilities Program","path":"\/tag\/smart-utilities-program","date":"4\/19\/2014"}