3.1 Vulnerability Classes

Document Sample
3.1 Vulnerability Classes Powered By Docstoc

                    Network Scanning


               Discovering Vulnerabilities



                Raymond Cordova MEIA

University of Colorado at Colorado Springs, Colorado, 2010

                         A Thesis

     Submitted to the Faculty of the Graduate School

                          at the

       University of Colorado at Colorado Springs


         Partial Fulfillment of the Requirements

                     for the degree of

     Master of Engineering in Information Assurance

            Department of Computer Science

       Thesis for the Master of Engineering Degree in

                  Information Assurance


                    Raymond Cordova

                 has been approved for the

             Department of Computer Science



               Advisor: Dr. C. Edward Chow


                    Dr. Jugal K. Kalita


                       Dr. Rory Lewis




                         Network Scanning for

                      Discovering Vulnerabilities

           (Master of Engineering, Information Assurance)

    Thesis directed by Associate Dean Professor C. Edward Chow

                   Department of Computer Science


 With the advent of the 911 terrorist attack and the subsequent identification of the

vulnerabilities of our most critical systems that include the power grid, directives

from government entities such as Homeland Security and a whole host of others, has

coined the term “Smart Grid” to describe Industrial Control Systems (ICS) as a

power grid of the near future as an intelligent, self-healing, real-time system. The

smart grid will encompass the integration of communications networks with the

power grid in order to create a communications superhighway capable of monitoring

its own health at all times, alerting authoritative entities immediately when problems

arise and automatically taking corrective actions that enable graceful failover to

prevent a local failure from cascading out of control such as the Great Northeast

Blackout event that    happened August 14, 2003. The ongoing effort to develop

communications products and technologies specifically designed to operate reliably

in harsh environments around the world must be used for mission critical

applications including power grid system security, system protection and control

using a variety of media and technologies. The smart grid will encompass the

integration of communications networks with the power grid. In order to create a

communications superhighway capable of monitoring its own health at all times, the

grid must be capable of alerting authoritative entities immediately when problems

arise. The ongoing effort to develop communications products and technologies

specifically designed to operate reliably in harsh environments around the world

must be proven for use in mission critical applications. These efforts to develop new

products include power grid system security, system protection and control using a

variety of media and technologies. Many commercial venders have recognized the

demand for specialized products such as hardened servers, routers and Ethernet

switches, The development of a Smart Grid has focused on Security, being that the

new Industrial Control Systems (ICS) will inherently have all of the vulnerabilities of

Internet and computer based systems. It will be critical for the smart grids to provide

confidentiality, integrity and availability to ensure the critical infrastructure is not

compromised in the event of a malicious hacker, catastrophic failure, cyber event or

and unforeseen disaster. Of particular concern is of the Advanced Meter

Infrastructure and Reading (AMI/AMR) solutions. Authoritative entities have

produced the NIST 800-82 Guide to Industrial Control Systems Security (ICSS) in an

effort to provide guidance to establish secure Industrial Control Systems (ICS) [11].

The methodology and prevention of attacks to ICS networks is by far one of the most

important projects since the creation of the Internet. It should be noted that the

number of vulnerabilities can be exploited and the critical nature of an exploit is

much more than that of Internet and computer based vulnerabilities. Instead, not

only does the development of Supervisory Control And Data Acquisition (SCADA)

systems, ICS or Smart Grids take conventional computer based vulnerabilities into

account, but also new and ambiguous vulnerabilities that are being identified are

unique to the critical security of the smart grid industry. There can only be strict

adherence to the requirements and ongoing System Development Life Cycle to

continually ensure security in the ICS networks. In this manner, security can be built

into the systems that are critical to the safe operation of critical infrastructure

components. The AMI/AMR solution is discussed herein as the emerging technology

evolves with a focus on Security for the small leaf products connected to the ICS. The

AMI/AMR solution must be as secure as any other component of the Supervisory

Control and Data Acquisition (SCADA) system. For anyone interested in a better

understanding of SCADA security, information on AMI/AMR security is only one

aspect of the ongoing emerging effort to employ security in compliance with

homeland security initiatives and the National Institute of Standards and Technology


   I would like to take the opportunity to sincerely thank Dr, Edward Chow for the

support, his tireless efforts, the valuable time he spends in consultation, the

encouragement he has provided, and the direction to guide me and others through the

challenging coursework at UCCS. This is my opportunity to thank Dr. Chow, being

that he does so much for others, generously giving his time and providing help and

motivation. I truly appreciate Dr. Chow for the person that he is.

   Also, thanks to Renaud Deraison from Tenable Nessus for providing the ProFeed

version of the Nessus scanner for the experiments and research. Without his

contribution, this research would not have been possible.

Table of Contents


          Table of Contents………...……………………..……....vii

          List of Figures……………………………………….....viii


1.0      Industrial Control Systems Recommended Guidelines,

         Standards and Regulations

               in Emerging Technology……………………......2

2.0       Emerging Technology……………………………….…...3

2.2      Wireless Comes of Age………………………………....10

2.3.1    Low Power Radio…………………………..…….......…11

2.4      Long Range Two-Way

               Tower Gateway Base-Stations (TG…..……....14

2.4.2    Licensed Private Frequency Option……………….…16

2.5      WiMAX Option……………………………………..…18

2.6      WiFi Option…………………….………………….......20

2.7      FemtoCells…………………………………………...…22

2.8      Active Line Access (ALA)………………………….….25

2.9      Power Line Carrier (PLC)……………………………26

2.10     Combinations of Physical Media………………….….33

2.11     Other Options……………………………………….....34

3.0      Vulnerabilities…………………………..…………........37
3.1       VulnerabiliyClasses…………………………….…..…..39

3.2       Vulnerabilities Ignored………………………..……….77

3.3       The Need for Regulation and Management…………..79

3.4       Vulnerabilities in Smart Meters……………………….81

4.0       Secure the Network, ICS, or Smart Grid…………..….86

4.1       Nessus Scanning…………………………………….......90

4.1.1     Bandolier…………………………………………….….91

4.1.2     Compliance Checks……………………………...….......92

4.1.3     Compliance Checks versus

                 Vulnerability Scans…………………..............…93

4.1.4     Examples: Service Auditing…………………………....94

4.1.5     Bandolier Schedule and Deliverables…..…………...…96

4.1.6     Development Approach…………………………….......97

4.1.7     Extending Bandolier

          with Nessus Credentialed Scanning……….................101   Nessus Credentialed Scanning……………..……...…102   Technology…………………………………….……….102   Windows………………………………………………..103   Unix………………………………………………….…103

4.1.8     Policy Compliance Plug-ins…………………….….…104

4.1.9     Patch Auditing………………………………………...105

4.1.10    Netstat Port Scanner………………………………….106

4.1.11       Reporting……………………………..……………..…106

4.1.12       Nessus Scanner Use………………………………..….108     Nessus User Configuration Tab……………………...108     Nessus Policy Configuration Tab……..……………...109     Nessus Scan Tab………………………………………110     Nessus Report Tab……………………..……………..111

4.1.13       Nessus Performance...……………….……….………112

4.1.14       Customize Policies……………………………….……116

4,2          Notable Projects in the United States….………….…123

4.3          Selected Vendor Smart Meters………..………….….125

4.3.1        Itron OpenWay…………………………………..…....125

4.3.2        Texas Instruments Smart Meters

                   with Secure Pre-Payment………….................127      Texas Instruments Smart Meters……..……………...129   System-on-Chip Solutions…………………………….130    Standard-Based Networks…………………………….130    Proprietary Networks………………………………....131    Development Platforms……………………………….131

4.3.3        MBUS3 Firmware………………………………..…....133

5.0.         Difficulties and Lessons Learned…………………..…134

6.0.         Conclusion……………………………………………...141

7.0       References…………………………………………....…..146

Appendix A ENSDV, Nessus Quick Reference

             Installation and Upgrade Guide………………..…….149

A.1          Nessus Background……………………………………149

A.2          OS Support…………………………………………….151

A.3          Prerequisites…………………………………………...151

A.4          Installation……………………………………………..152

      A.4.1 Red Hat ES 4 (32 bit), ES 5 (32 and 64 bit……….......152

      A.4.2 Fedora Core 10 (32 and 64 bit),

      11 (32 and 64 bit)

      and 12 (32 and 64 bit)……………………………………......153

      A.4.3 SuSE 9.3, 10……………………………..………………154

      A.4.4 Debian 5 (32 and 64 bit)………………………………..155

      A.4.5 Ubuntu 8.04, 8.10 and 9.10 (32 and 64 b………………157

      A.4.6 Solaris 10………………………………………………..158

      A.4.7 FreeBSD 7 (32 and 64 bit)………..……………………160

      A.4.8 Windows…………………………….………………….161

      A.5 Upgrading Unix/Linux………………………………..166

      A.5.1 Red Hat ES 4 (32 bit), ES 5 (32 and 64 bit)……….…166

      A.5.2 Fedora Core 10 (32 and 64 bit), 11 (32 and 64 bit.….168

      A.5.3SuSE 9.3, 10……………………………………………170

      A.5.4 Debian 5 (32 and 64 bit)………………………….…...171

     A.5.5 Ubuntu 8.04, 8.10 and 9.10 (32 and 64 bit)……………173

     A.5.6 Solaris 10………………………………………….……..174

     A.5.7 FreeBSD 7 (32 and 64 bit)……………………….……...178

     A.5.8 Windows Upgrade……………………………………....179

Appendix B ENSDV Nessus Configuration……………………….…181

     B.1 Nessus Major Directories…………………………..……..181

     B.2 Nessus Server Manager……………………………….….182

     B.3 Changing Default Nessus Port…………………………....183

     B.4 Registering the Nessus Installation……………………....184

     B.5 Adding User Accounts…………………………………....185

     B.6 Host-Based Firewalls……………………………………..188

     B.7 Other Operating System Configuration……………..…189

Appendix C Subject Descriptors…………………………………..…190

Appendix D Nessus Scan Performance………………………………191

List of Figures

Figure 2-1. ICS Security..........................................................................................8

Figure 2.2 Emerging Technology Physical Challenges..........................................8

Figure 2.3 Smart Metering Scope............................................................................9

Figure 2.3 Wired and Wireless Options...................................................................9

Figure 2.2.1 The Zigbee 7mm X 7mm chip............................................................13

Figure 2.2.2 Low power mesh infrastructure…………………………….…….....14

Figure 2.4.1 Long Range Radio Infrastructure....................................................15

Figure 2.4.2 Sensus Flex.........................................................................................17

Figure 2.6.1 Tropos WiFi Infrastructure................................................................21

Figure 2.7.1 IxCatapult Testing on the lu FemtoCell Gateway............................23

Figure 2.7.2 3G Core Network Emulation

                    with the Tektronix G35 Protocol Tester……………………....….25

Figure 2.7.3 Agilent FemtoCells Test Solutions……….......................................25

Figure 2.9.1 Power Line Carrier......................................................................26

Figure 2.9.2 PLC Circuitry to Retrofit Meter……….........................................28

Figure 2.9.3 PLC Substation Outbound Modulation Unit (OMU)............29

Figure 2.9.4 PLC Substation Control and Receiving Unit (CRU)..............30

Figure 2.9.5 High Speed 100Kb/s PLC Transceiver Chip……...….…..…..31
Figure 2.10.1 Combinations of Physical Media…………………………….34

Figure 4.1 Smart Meter Implementation Percentages by Country……….37

Figure 4.1. Configuration Screen for Credentials………………….……..103

Figure 4.2. Policy Compliance Plug-ins……………………………….......104

Figure 4.3. Example plug-in Selection of OS

                  and Application Security Scan……………………..….......105

Figure 4.4. Example of Netstat Option with Safe Checks Enab……......106

Figure 4.5. Report Example of the iepeers_dll_0day.nasl plug-in.….….107

Figure 4.6 Nessus User Tab……………………………………….……..…109

Figure 4.7 Nessus Policy Tab………………………………………….…...110

Figure 4.8 Nessus Scan Tab………………………………………….….…111

Figure 4.9 Nessus Report Tab…………………………………..….......….112

Figure 4.10 Windows Scan Time………………………………….……....113

Figure 4.11 Unix Scan Time………………………………..…….....….....114

Figure 4.12 Memory Usage..................................................................115

Figure 4.13 System Load………………………………….…..…...………..115

Figure 4.3.1 Itron OpenWay® Solution…………………...………….…..127

Figure 4.3.2 CC2530ZDK Cost…………...…………………………..….…132

Figure 5.1 Successful Nessus Database Rebuild and Re-index…………..138

Figure 4.8.1 Windows Nessus Download Files..……………………......…132

Figure 4.8.2 Windows Nessus Welcome Screen………………………….…162

Figure 4.8.3 Windows Nessus License Agreement……………………....…163

Figure 4.8.4 Windows Nessus Destination Folder………….………………163

Figure 4.8.5 Windows Nessus Setup Type……………………….……...…164

Figure 4.8.6 Windows Nessus Install Dialog…………………………..…..164

Figure 4.8.7 Windows Nessus Completion Dialog……………….…......…165

Figure B.2.1 Windows Server Manager Configuration…………………….182

Figure B.5.1 Activated Windows Server Manager Dialog…………...…..…184

Figure B.5.2 Nessus User Management Dialog……………………..….....…185

Figure B.5.3 Nessus Add/Edit User Dialog……………...……………………186

Figure B.5.4 Activated Windows Server Manager Dialog…………….....…187


 The ability to secure the Smart Grid is critical to ensure the power grid is protected

from terrorist attacks, accidental events or natural disasters. Industrial Control

Systems (ICS) had little to do with Internet systems in that ICS were isolated systems

running proprietary control protocols utilizing specialized hardware and software.

ICS networks which include supervisory control and data acquisition (SCADA)

systems, Distributed Control Systems (DCS), and other control system configurations

such as Programmable Logic Controllers (PLC) are often found in the industrial

control sectors. ICS networks are typically used in industries such as electric, water

and wastewater, oil and natural gas, transportation, chemical, pharmaceutical, pulp

and paper, food and beverage, and discrete manufacturing (e.g., automotive,

aerospace, and durable goods.) SCADA systems are generally used to control

dispersed assets using centralized data acquisition and supervisory control.

Furthermore, approximately 90 percent of the nation's critical ICS, Smart Grids, and

SCADA infrastructures are privately owned and operated.

 With all these issues in mind, this paper explores the emerging technology, the

security, common and obscure vulnerabilities, and various related topics. It should be

noted that it is a field with a multitude of opportunities requiring extensive research

and work [19]. The chosen direction of research is exploring the use of the Nessus

ProFeed scanner as a solution for automatic centralized discovery of vulnerabilities

and compliance checks in ICS networks. The focus is to develop a methodology and

enhance the tool for a customizable solution to enhance network scanning to discover

vulnerabilities and check compliance for the varying requirements if ICS/Internet

integrated environments.

1.0 Industrial Control System Recommended Guidelines, Standards

     and Regulations in the Emerging Technology

 The Information Technology Laboratory (ITL) at the National Institute of Standards

and Technology (NIST) promotes the U.S. economy and public welfare and provides

technical leadership for the nation‟s measurement and standards infrastructure.

Specific requirements and methodologies for information system categorization are

described in Technology (NIST) FIPS 199.          The requirements for addressing

minimum security controls for a system are described in NIST SP 800-53

(Recommended Security Controls for Federal Information Systems) and NIST FIPS

200 (Minimum Security Requirements for Federal Information and Information

System). ITL responsibilities include the development of technical, physical,

administrative, and management standards and guidelines for the cost-effective

security and privacy of sensitive unclassified information in the nation‟s computer

systems that have emerged to provide control of industrial control networks.

 In the emerging stages of development, inexpensive Internet Protocol (IP) devices

began replacing proprietary isolated systems running proprietary control protocols

using specialized hardware and software. The possibility of cyber security

vulnerabilities and incidents increased as ICS began adopting Internet solutions to

promote corporate business systems connectivity and remote access capabilities [19].

A different approach was needed to address the issues [18]. These new design
implementations using industry standard computers, operating systems (OS) and

network protocols began to resemble Internet systems. These Internet integration

solutions provided the needed capabilities, but it also introduced a multitude of

vulnerabilities, problems, and issues and provided significantly less isolation for ICS

from the outside world creating a greater need to secure these systems. All have their

own peculiarities and issues to address. These emerging technologies have become a

significant challenge to properly implement into ICS. As mentioned earlier, the ITL

standards set forth in the NIST 800 series documents is a challenging and daunting

task. This task is coupled with securing Internet access to ICS systems, isolating the

ICS, and providing a secure, safe, reliable control system. It is interesting to note how

emerging technologies have lowered the infrastructure costs and use existing physical

entities and infrastructure.

  Organizations must implement tactical security solutions and meet compliance in

several core areas. Among the most common organizations are the municipal and

rural utility companies. The experience of creating both general and customized

security engineering solutions must be developed for new and existing security

technology deployments. Solutions must be developed by leveraging field experience

in security engineering by focusing on environmental constraints, including,

accounting for the technical overview of Control System cyber security, threats,

vulnerabilities, and mitigation strategies. The vendors and organizations must comply

with all standards set forth by the National Institute of Standards and Technology

(NIST) and Homeland Security initiatives. Security solutions have been designed to

deal with the security issues in AMI/AMR solutions, with special precautions taken to

protect the devices and technology implementations. As these AMI/AMR solutions

are implemented, there must be a controlled effort to ensure security is built in so as

not to produce results similar to the problems encountered by the staggering growth

of the Internet which produced undesirable circumstances in which services were the

most important factor.

 Many commercial venders have recognized the demand for specialized products

such as hardened servers, routers and Ethernet switches, Encrypted Receiver

Transmitter (ERT) Meters, and a variety of other devices to complete the

communications backbone solution for the smart grid. The development of a Smart

Grid has focused on Security, being that the new ICS will inherently have all of the

vulnerabilities of Internet and computer based systems. It will be critical for the smart

grids to provide confidentiality, integrity and availability to ensure the critical

infrastructure is not compromised in the event of a catastrophic failure, cyber event or

and unforeseen disaster. Authoritative entities have produced the NIST 800-82 Guide

to Industrial Control Systems Security (ICS) [11 [19] in an effort to provide guidance

to establish secure industrial control systems (ICS). The methodology and prevention

of attacks to ICS networks is by far one of the most important projects since the

creation of the Internet. The wide variety of available hacking tools has the

Information Technology industry in a precarious state of insecurity, whereas efforts to

prevent the unauthorized use of the ICS network is of critical importance and is one

of the most important aspects of protecting smart grid computing systems. This is a

task that will take systems administrator, security administrators and utility

employees into a new realm of Security to defend the ICS network against those

attacks and unforeseen events. It should be noted that the number of vulnerabilities

that can be exploited and the critical nature of an exploit is much more than Internet

and computer based vulnerabilities.      Instead, not only does the development of

Supervisory Control And Data Acquisition (SCADA)systems, ICS or Smart Grids

take conventional computer based vulnerabilities into account, but also new and

ambiguous vulnerabilities that are being identified are unique to the critical smart grid

industry. Policies and processes exist with new vulnerabilities being discovered daily

and new tools, code, procedures and processes are generated daily address any

deficiency in the development of the smart grid systems. There can only be strict

adherence to the requirements and ongoing System Development Life Cycle and

Security Development Lifecycle to continually ensure security in the ICS networks.

In this manner, security can be built into the systems that are critical to the safe

operation of critical infrastructure components.

2.0 Emerging Technology

 There have been many problems associated with the rapid growth of the Internet.

The vulnerabilities associated with the Internet are well known problems that

introduce a critical security problem to ICS. Many of the solutions to prevent these

vulnerabilities have been no more than a band-aid fix that are not at all ideal in their

implementation. Many of the solutions to the problems have only introduced other

problems that introduce other security risks. With all the problems that currently

effect the IP based technology, it becomes imperative to follow the directives set forth

by the NIST 800 series documents. It becomes a monumental task to secure an

already vulnerable IP-based system and to secure emerging technology. Emerging

technology solutions have inherent vulnerabilities in their own implementations. For

example, threats throughout the Advanced Metering Readers (AMR) Infrastructure

could be compromised by hostile governments, terrorist groups, disgruntled

employees, malicious intruders, complexities, accidents, natural disasters as well as

malicious or accidental actions by insiders. It has become a normal practice to

provide perimeter security, antivirus solutions, and regular patching of Operating

Systems and Applications. It seems reasonable to expect emerging technologies will

require all the traditional tasks of security updates, patches, updates and upgrades as

will as providing System Development Life Cycle activity of the emerging

technologies implemented to provide solutions to ICS. The ICS must provide

availability, integrity and confidentiality.   As   the   emerging    technologies   are

implemented, care must be given to the implementation and infrastructure with a

focus on three components; availability, integrity, and confidentiality of the ICS are

critical and must be strictly adhered to in order to provide a safe and secure system.

  The implementation of security in the leaf products of the various AMI/AMR

devices becomes a major task of providing a reliable and safe solution of gathering

information from millions of end points. As is the case with any emerging

technology, new solutions have inherent vulnerabilities, and the Advanced Metering

Infrastructure/Advanced Metering Readers (AMI/AMR) is not an exception to attacks

from hostile governments, terrorist groups, disgruntled employees, malicious

intruders, complexities, accidents, natural disasters and malicious or accidental

actions by insiders. These smart meters are considered as a device that can be used to

gain access to the larger infrastructure, the SCADA power grid. Therefore, every

precaution must be taken to protect the meters since these smart meters are a potential

gateway to the more critical SCADA power grid infrastructure.

 Several problems are associated with the securing smart meters. These meters must

update usage statistics for, which include but are not limited to several resources,

such as gas, water, and electricity. It is critical that every effort to maintain security

for these devices becomes a normal practice in order to provide a safe and secure

system. The following figures illustrate the infrastructure, physical challenges, scope,

and wired and wireless solutions:

        See Figure 2.1 for an illustration of securing a typical ICS [3].

        Figure 2.2 shows the challenge of physical security [3].

        See Figure 2.3 for the scope of the smart metering system [20].

        Figure 2.4 shows a typical ICS infrastructure with wired and wireless


   Securing Control Networks

    5/29/2009         Smart Grid Education Workshop / Chow     10

                      Figure 2.1 ICS Security

        Figure 2.2 Emerging Technology Physical Challenges
Graphics use permission granted from Dr. Edward Chow, UCCS, 2010

  Figure 2.3 Smart Metering Scope

Figure 2.4 Wired and Wireless Options

2.2 Wireless Comes of Age

 The use of radio technology to provide wireless solutions with such devices as

mobile phones, laptop computers and common consumer equipment make the use of

wireless technologies a feasible option for solutions to provide business capabilities

and remote access to ICS. All of these applications are based upon silicon radio

transceivers to relay voice or data communications. Many types of wireless

communications are usually distinguished by the frequency band, the standards used,

and the primary application. Silicon transceivers and specific protocol stacks have

contributed to the development of wireless solutions that allow devices, meters and

sensors to be networked by using similar technology to that used to link mobile

phones and headsets. Many wireless applications such as ZigBee, Bluetooth and

ZWave have been implemented as computing and telecommunications solutions in

markets such as home automation and building control, SCADA systems and even

livestock control. Many other commercial options for low power radio have been

specifically developed, evolved and emerged as viable solutions for utility

communications. Emerging implementations include the M-Bus standards used for

smart metering in northern Europe, the Wavenis solution used for water metering in

France and the Trilliant platform being used by some utilities in Canada. Utilities in

America and Australia offer a specific Smart Energy profile with ZigBee which was

developed to provide smart metering connectivity to home area networks.

 See Figure 2.2.1 for a picture of the ZigBee chip. Refer to Figure 2.2.2 for an

example of a low power radio system that operates using a mesh network. This

infrastructure design bounces packets of data through a series of nodes to reach their

target. This type of network topology offers the protection of avoiding potential

single points of failure in a network. This is critical in the design of the solution. This

type of mesh network increases the power consumption of every fully functional

node. Each node must be able to receive and transmit data to and from other close

proximity nodes whenever data transfers are required. Some mesh based devices will

be configured as non-repeating “end” devices to facilitate lower power consumption

where the lesser redundancy will not compromise availability, confidentiality or


2.3.1 Low Power Radio

  Low Power Radio provides a specific wireless approach to provide connections for

a range of devices. Solutions are designed for small data transfers over relatively

short distances. Many low power radio solutions such as ZigBee, M-Bus, KNX, Z-

Wave, etc. are all competing for a place in the market share and frequently implement

solutions in the business. A number of these solutions feature specific utility metering

applications that require the use of a silicon radio transceiver. Several different types

of these chips come with built in antennas, some with external antennas, and some

come as a „System on Chip‟. There are devices that require an external

microcontroller alongside the radio. The optimum design will be determined by the

density of meters, types of housing and the local landscape. The Low Power Radio

approach will require some form of data concentrator to provide backhaul connection

to the Data Transport. There are no fixed design solutions for the infrastructure, and

Low power radio signals can be affected by line of sight, co-existence and signal

interference issues. Typically, data concentrators take the form of a „black box‟ on a

lamp-post or other street furniture. Optionally, a data concentrator could be a single

meter in 200 that also has a modem connected to a fixed or wireless connection to the

Data Transport. Each solution option offers different data transfer speeds determined

by the signal frequency with the actual throughput will show a variance from

advertised speeds. Speeds range from 20kbit/s to 250kbit/s, and can depend upon the

type of network. Point-to-point throughput is always higher than that achieved within

a mesh network with performance varying by chipset and manufacturer. The licensed

radio band for utility meters in the UK is 184MHz. The data transfer speeds are

comparatively low compared to unlicensed options. The cost of 184MHz radios is

significantly higher than for other frequencies because of the low volumes in a

specific licensed band. There are several standards and proprietary solutions defined

on top of IEEE 802.15.4. They share a common physical and medium access layer.

The current proprietary protocols at the application layer as well as networking

protocols make it impossible for these to interoperate. There are some exceptions, and

it is possible for an 802.15.4 device to have limited communications with a ZigBee

network. For instance, InterPAN communications can be allowed in a ZigBee Smart

Energy Application Profile. These protocol stacks are the major difference for

competing technologies. Each protocol stack has its own individual strengths and

weaknesses. ZigBee, one of the more established protocol stacks with a specific

interest in smart metering, was developed in the US to support Home Area Network

operations. Competing technologies are emerging in this space. Low power radio

systems must be designed to use as little power as possible to maximize battery life in

many devices. Low power radio systems are being used in home automation and

control, SCADA and a whole range of ICT applications. Low power radio systems

solutions are increasing in the number of deployments in smart metering. Low power

radios have emerged as an established multi-million unit base of AMR systems using

these technologies. It is important to note that some solutions can use the same radio

chipsets or IEEE standards, but protocols are not interoperable, e.g., a ZigBee radio

will typically not speak to an 802.15.4 radio using a different protocol stack.

Compatible extensions are emerging, for example, Wavenis has begun work with

Bluetooth, and some 802.15.4 protocols will interoperate where there is collaboration

between the manufacturers.

                  Figure 2.2.1 The Zigbee 7mm X 7mm chip

                 Figure 2.2.2 Low power mesh infrastructure

2.4 Long Range Two-Way Tower Gateway Base-Stations (TGBs)

 There are a number of existing applications and physical infrastructure for long

range radio solutions to provide business capabilities and remote access to ICS.

Traditional 1-way broadcast delivery still has a place in limited applications,

however, international examples use long range radio such as the Sensus FlexNet

solution used widely in North America, or the utilization of Metropolitan Area

Networks based on WiFi or WiMAX by municipal utilities. Figure 2.4.1 shown

below is an illustration of two different types of long range radio infrastructures. Note

the backhaul connectivity in the upper half of the illustration and the mesh topology

in the lower half of the illustration. The metering options illustrate the “Gas Smart”

meter dependent on the “Elec Smart” meter and the option to have an independent

“Gas Smart” meter independent with its own radio.

                Figure 2.4.1 Long Range Radio Infrastructures

 An attractive benefit of Long Range Radio tower solutions is the use the tallest

existing radio towers and efficient high-gain antennas capable of receiving very weak

signals. These antennas are capable of receiving extremely weak signals with a high

degree of accuracy. Several antennae options are available for the wide range of

application to business functions and remote access. TGBs acquire clear nationwide

primary use of a licensed radio spectrum with a low noise floor. The systems are

designed with high power endpoints (2 Watts) with state-of-the-art, all digital

modulation techniques. The design is highly sensitive (-120 dBm to -130 dBm) in all

DSP based receiver base stations. TGBs have emerged to develop meter-to-meter

“Buddy” relay mode for hard to reach meters, e.g., meters in basements, behind line-

of-sight barriers, mountainous regions, etc.

2.4.1 Licensed Private Frequency Option

 The service provider will have obtained a license for a section of the radio spectrum

to allocate all or some of that frequency allocation for smart metering use. The radio

transceiver chip and antenna, operating at the licensed frequency will use a tower

based radio infrastructure covering the area where meters are installed. These radio

transceivers and antennae will be placed at a much lower density than the data

concentrators for other options. They could be placed any where from 5-15 miles

apart. Each tower will be required to have some equipment with a modem to provide

the backhaul connection to the Data Transport. Speed of data transmission depends

on the frequency used. This type of solution generally uses licensed frequency bands,

so the standards used are likely to be proprietary to the solution provider. Protocols

use will be as per standards. The Sensus solution uses provides 2 watts of broadcast

power from the meters with a 20 year battery life for gas and water AMR meters

performing daily updates. Two examples of solutions are the Sensus FlexNet solution

being used widely in North America, particularly for one-way gas and water AMR

services. Tower-based radio communication enjoys a fully mature technology and

provides a great deal of the broadcast media. Britain uses this type of communication

but has been used mainly by National Grid as part of their SCADA systems, rather

than as part of a metering solution. See Figure 2.4.2 for a Sensus FlexNet

infrastructure illustration. The meter with radio transmits to the Tower Gateway

BaseStation (TGB), and the TGB by means of a modem transmits data to the

Regional Network Interface (RNI).

                    Figure 2.4.2 Sensus FlexNet Architecture

 There are over 4,000 existing tower sites covering over 90% of the populated areas.

Emerging technology development has designed the devices to integrate seamlessly

with existing paging equipment, which allows the sharing of power, antennae and

data back-haul channels. Critical service real-time TGB tower monitoring and

maintenance is performed by trained and certified personnel. The patented

technology, long-range radio communications, low infrastructure cost, high reliability

and existing tall towers provide a scalable fixed based network with high level of

availability. This is a mature and proven technology in use enjoying the merge with

existing physical tower structures and infrastructure.

 The option for a licensed private frequency for a section of the radio spectrum has

emerged as a viable solution for business capabilities and remote access. This option

uses a tower based radio infrastructure placed 5-15 miles apart. Towers are placed at

a much lower density than data concentrators. Each tower will have a modem to

provide the backhaul connectivity to the data transport. Speed of data transmission

will depend on the frequency used. A solution is widely used in North America,

particularly for one-way gas and water AMR services, is provided by Sensus FlexNet.
The Sensus FlexNet solution provides 2 watts of broadcast power from the meters

and a 20 year battery life for gas and water AMR meters performing daily updates.

Also, Britain currently uses this type of communication by National Grid as part of

their SCADA systems. Municipal utilities in the US are taking advantage of existing

metropolitan WiFi infrastructures for multi-utility metering services in cities such as

Lafayette, Burbank and Corpus Christi.

2.5 WiMAX Option

 The option for WiMAX is also known as 4G. WiMAX is known as the “last mile”

wireless solution based upon a cellular antenna infrastructure technology. WiMAX is

a neighborhood/metropolitan technology, whereas WiFi is viewed as a local

technology. The two solutions should not be confused. The meter hardware requires a

WiMAX chipset [10]. This solution requires the installation of antennas in a cell on

structures with typical spacing of 3 to 10km. Although cost of WiMAX antennas is

more expensive than WiFi and cellular equipment and devices, cost continues to fall

and may become cost effective in the near future. Data speeds vary by distance of the

endpoint from the antenna, and the number of endpoints using the connection from

that antenna. The IEEE 802.16(x) defines the WiMAX standard. Power consumption

of WiMAX hardware is considered to be high. The power consumption of WiMAX is

generally to maintain the bandwidth. One example of a WiMAX system being

installed is by Energy Australia. They are piloting the technology in its facility in

Sydney. The facility is equipped with a functional base station, several varieties of

mock networks, and 7000 smart meters. WiMAX is also used for backhaul from

concentrators in Hydro One in Ontario. Although WiMAX is generally used mainly

for internet connectivity, WiMAX use is increasing featuring mobile telephony

handsets and laptop computers, but the solution remains relatively immature. Systems

on Chip WiMAX products are available, but the majority of offerings include several

chips to provide WiMAX connectivity. The availability of WiMAX networks in

Britain is low, although there are plans to introduce metropolitan area networks in

Milton Keynes and Norwich that could support energy smart metering.

 GE has emerged with a solution to provide a WiMax Smart Meter Solution that will

deploy WiMax radios as part of a smart meter project by utility CenterPoint Energy.

GE has also partnered with Grid Net, which has technology for implementing WiMax

Internet routers in smart meters. Although 100 kilobits per second is sufficient for

reading electric meters, 1-2 megabits per second is needed to make the split-second

automation of the electricity distribution grid a reality. As of March 30, 2009, GE will

install a network of its WiMax-based MDS Mercury 3650 radios to link CenterPoint

Energy "backhaul" communications systems to collection points. Those collection

points will aggregate data from millions of so-called "smart meters" that CenterPoint

is installing for 2.4 million customers in the Houston area. This project marks a new

trend in using WiMax for smart meter deployments. Typically, utilities have used

lower-bandwidth, lower-cost wireless technologies for communications, since

sending energy usage information and simple instructions to and from meters does

not require high-bandwidth systems. However, distribution automation using high-

speed digital communications to control equipment is required to prevent damage to a

transformer or a generator. And as always speed and reliability of the system is of the

utmost concern to ensure the safety of the human factors involved with the system.

This is the first self-contained WiMAX smart meter communications technology

deployment. CenterPoint has emerged as a pioneer to provide a WiMAX solution for

smart metering in the United States. San Francisco-based Grid Net has developed

technology for installing WiMax Internet routers in smart meters. Grid Net is testing

out the WiMax smart meters with SP AusNet and Energy Australia, two utilities in

Australia It should be noted Australian utilities use public WiMax networks with

Australia's WiMax coverage being far greater than that of the United States. GE is

working with U.S. utilities American Electric Power (AEP) and Consumers Energy

about testing WiMax smart meters using the Grid Net technology.

2.6 WiFi Option

 WiFi, also known as “wireless broadband”, continues to increase as a

common method to provide wireless internet connectivity for several

consumer electronics items. It is standards based solution for local area

networking operating at 2.4GHz with 5GHz products becoming

available. The meter hardware requires a WiFi radio transceiver chipset.

A number of wireless access points provide point to point connections for

smart meters. Speeds of data transfer will vary depending upon the

particular standard used; however, all are classified as broadband-

capable. The standard is based on IEEE 802.11(x) standards, with x

signifying versions such as 802.11a, b, g, n. The 802.11n standard offers

increased range and data rates supporting most common internet
protocols. Due to the reach requirements for wireless LAN applications,

WiFi comparatively is classified with high power usage. Some municipal

utilities in the US are utilizing existing metropolitan WiFi infrastructures

for AMR and AMI metering services in cities such as Lafayette, Burbank

and Corpus Christi WiFi is a fully established and developing mature

technology widely used for wireless in-home or hot-spot networking,

providing personal computer and WiFi enabled device access to network

data services. It should be noted WiFi networks do not natively support

mesh topology systems. See Figure 2.6.1 for an illustration of a WiFi


                  Figure 2.6.1 Tropos WiFi Infrastructure

2.7 FemtoCells

 FemtoCells are being introduced as an inexpensive solution to address weak indoor

cellular coverage. FemtoCells are low power wireless access point networks

operating in licensed radio spectrums connecting standard mobile devices to a mobile

operator‟s network using broadband connections. FemtoCells are also known as

access-point base stations. These small base stations are typically designed for indoor

use in residential or small business environments. They connect to a service

provider‟s network via the end user‟s broadband internet.

FemtoCells typically combine the base station and radio network controller into a

single unit. Home Zone services enabled by FemtoCells and Generic Access

Networks (GAN) provide a new generation of highly integrated access network

infrastructure products. FemtoCells provide in-house connectivity for Universal

Mobile Telecommunications System (UMTS) phones by routing calls made in the

Home Zone over existing DSL broadband links and using short-range UMTS Node-

Bs. GANs typically allow WLAN based broadband home coverage with any type of

broadband IP infrastructure.

System integration of FemtoCells access points and FemtoCells gateways to an

existing network presents new testing challenges; lack of standards, security concerns

and high load generation. Testing the latest wireless as the back-haul link requires

special test equipment since the cost of test beds is cost prohibitive. Vendors such as

Tektronix and Ixia provide special test equipment well-suited to test the special

environment. FemtoCells extend the reach of an LTE, 3G, CDMA, IMS or WiMAX

network into homes and other small buildings for full voice and data coverage. In

3GPP UMTS, FemtoCells encompass Node B and RNC functionality. Ixia and

Tektronics work closely with standards entities to ensure compliance for evolving

solutions and new recommendations. Ixia uses the IxCatapult [16] test equipment to

develop test scripts for successful implementation of FemtoCells and the Iuh (Fa)

interface. The IxCatapult testing solution is also used to test load test performance for

high load FemtoCell traffic to exercise the FemtoCell gateways that typically connect

to tens of thousands of FemtoCells. See figure 2.7.1 for a block diagram of IxCatapult

DCT200 test device.

        Figure 2.7.1 IxCatapult Testing on the lu FemtoCell Gateway

  Tektronix is using the 3G Core Network Emulation with the G35 Core Network for

Cost-efficient Radio Access Network Testing. See Figure 2.7.2 for a block diagram of

the G35 test device.

Figure 2.7.2 3G Core Network Emulation with the Tektronix G35 Protocol


 Several vendors and carriers have emerged with there own test environments to

ensure adherence to security standards, encryptions, proprietary stack testing, QoS,

etc. FemtoCells may have a place in AMR/AMI systems by using existing

infrastructure and could be applicable in the future of Metering Systems. Agilent

continues to be a key player in emerging markets such as FemtoCells [1]. See Figure

2.7.3 for the test solution Agilent provides for key FemtoCell measurements.

               Figure 2.7.3 Agilent FemtoCells Test Solutions

2.8 Active Line Access (ALA)

Advanced Meter Readers and Advanced Meter Infrastructure technology has evolved

with a variety of individual types of physical media that can be used together to

deliver connectivity with any number of communications options co-existing at any

level of geographic granularity. Among the solutions is the idea of using existing

Active Line Access (ALA) to provide communication to and from Smart Meters to

the Smart Grid infrastructure. Research shows there are no significant projects with

ALA that will provide a communication solution for AMR/AMI. ALA discussions

are still at a relatively early stage and have produced nothing more than an idea for

discussion. There are no examples where this technology is being used or considered

for smart metering.

2.9 Power Line Carrier (PLC)

  Power Line Carrier (PLC) is one of the most widely used technologies for advanced

metering. PLC reaps the benefit of using existing power lines for communications by

using the existing electricity wires to transfer data. See Figure 2.9.1 for an illustration

of how a smart meter could be connected to the Data Transport using a power line


                           Figure 2.9.1 Power Line Carrier

  The definition of a power line carrier is “A communication system where the utility

power line is used as the primary element in the communication link.” All power line

communications systems operate by modulating a carrier signal on the power line

wiring system. Several different types of power line communications use several

different frequency bands or modulation techniques that depend on signal

transmission characteristics of the power wiring. Terminology differentiates the

Power Line Communications data transferred over by specifying High and Medium

Voltage wires. Distribution Line Carrier refers to the Low Voltage connection to

individual meters. PLCs were first used to deliver one-way information by sending

consumption information. Technology emerged that allows for bi-directional use of

PLC to and from meters. Several existing solutions use mesh networking to send

information from meter to meter to reach a concentrator which affects the overall

speed of the solution.      The hardware within the meter is configured with a

transponder or transceiver with associated microelectronics to provide coupling to the

electrical wiring of the meter. An example of meter hardware components are shown

below in Figure 2.9.2. Example of the modulation unit and control and receiving unit

are shown in figures 2.9.3 and 2.9.4, respectively.

Figure 2.9.2 PLC Circuitry to Retrofit Meter

Figure 2.9.3 PLC Substation Outbound Modulation Unit (OMU)

         Figure 2.9.4 PLC Substation Control and Receiving Unit (CRU)

 The scale of infrastructure required by a PLC implementation varies by the

commercial solution.     Substantial equipment within the electricity distribution

network may be required or as with other solutions, less is required and is less

intrusive. All PLC deployments will require some network infrastructure equipment.

The „speed‟ of data transfers varies dependent on the solution and depends on the

„quality‟ of the low voltage network. PLC is traditionally a narrowband

communications link, with speeds lower than 10kbps. However, technology continues

to evolve and high speed chips offer alternatives with much higher speeds available

for meters and infrastructure at list price of $8.50 per unit. See Figure 2.9.5 for a

block diagram of the high speed PLC chip.

           Figure 2.9.5 High Speed 100Kb/s PLC Transceiver Chip

 Although HomePlug technologies use PLC connections offer speeds of 14MBps,

85MBps and 200MBps, these high rates are only possible at reasonably low cost by

the “closed” nature of the main wiring within a home. There are similar HomePlug

products being introduced which operate at a much lower speed but it is not

anticipated that current HomePlug type technologies could be used to provide a link

between a meter and a concentrator.

 There are a number of international standards for PLC in use or under development:

  • ETSI - a suite of standards relating to PLC, also working with a CENELEC

     committee on power line     (SC 205A)

  • IEEE standards �� P1775, P1675, P1901 – focus appears to be on developing the

     Broadband over Power Line

  • LonWorks – a standard operated by Echelon, based upon the use of their protocol

     and silicon within a range of applications and devices

  • OPERA – EU funded initiative lead by Iberdrola to develop an interoperable

     platform to use PLC for utility and internet solutions and purposes

  • HomePlug Command and Control – primarily developed to deliver home

     automation services, this PLC option could be used between an electricity meter

     and a WAN concentrator

 PLC currently uses a wide range of protocols that are generally supplier, service or

application specific that include a specific modulation scheme to impose the carrier

signal. Among the specific schemes used are Frequency Shift Key techniques and

Spread Spectrum methods. Meters using one scheme will not speak to concentrators

using a different scheme, e.g., modulation schemes are not interoperable. The power

usage of any PLC system is largely dependent on the type of infrastructure. Fore

example, data concentrators will all represent “new” equipment that will consume

power. PLC communications transmission and processing of the carrier signal is also

dependent on the signal, frequency, level of amplification etc. PLC solutions are

generally used for utility applications in the distribution and the transmission operator

SCADA systems, AMR, smart grid. The Echelon system has been implemented in

Italy for 30 million of its domestic electricity customers. There are a large number of

PLC AMR systems in use in the US. The Aclara TWACs system is being used by

Pacific Gas and Electric. PLC solutions are available from a number of service

providers that is being used extensively in AMR/AMI applications in the US and in

Europe. PLC for smart metering in Britain would require the extension of an existing

data network within a distribution company whereby the power lines would be used

for SCADA purposes. The Installation of new PLC equipment, on distribution

premises would solely depend on the nature of the implementation. These projects are

generally deployments by PLC specialists, although some have been implemented by

utility personnel themselves. Issues with training and qualifications to enter

substations need to be considered. PLC does not rely upon a connection for every

meter to operate effectively within an area. Technical challenges for PLC remain

where the meter is remote or rural areas, or a robust electricity infrastructure is not

present. The potential effects of widespread use of micro-generation on the quality of

PLC communications remain unclear. The Quality of Service (QoS) can suffer from

interference from customer appliances or normal household activities such as the use

of washing machines, power tools and other equipment with electric motors. It is

evident by the nature of the infrastructure that PLC installations are naturally

vulnerable to power outages whereby techniques are emerging using capacitors (and

super capacitors) in electric meters to send alerts to the network once the frequency of

the current falls below a configurable threshold level (brownout) or a complete power

failure. These messages can still reach a concentrator since the PLC signals operate at

a much lower voltage than main electricity supply.

2.10 Combinations of Physical Media

 Most smart metering real world examples implement combinations of physical

media to deliver end to end WAN communications. There will be some point within

the network where PLC will become Cellular or Fixed Wire in order to reach the

WAN “cloud”. Similarly, Low Power Radio solutions do not directly connect to the

cloud. Varieties of individual types of physical media can be used together to deliver


 For example, low voltage PLC is not the same as medium or high voltage PLC and

SMS is not the same as 3G, and ZigBee is not the same as Wireless M-Bus. See

Figure 2.10.1 for an illustration of combinations of physical media.

                Figure 2.10.1 Combinations of Physical Media

 2.11 Other Options

 There are a number of other options for communications solutions which have yet

not been explored in detail to determine feasibility for implementation in Smart Grid

technology. Some solutions may be considered impractical while others have been

tested and implemented. Some options worthy of mention include:

   • the 2-way radio paging network

   • PAKNET radio network

   • Mobitex – a secure, narrowband 2 way paging network

 The above options are not excluded from consideration for use in smart metering

technology. Research shows there are no examples where these technologies are

being used or considered for smart metering.         Some options that have been

implemented and have a place in Smart Metering include:

      Fixed Line

 One of the few examples of installation of use of Public Switched Telephone

Network (PSTN) AMR systems is for domestic customers is at Boone, Iowa. About

60% of their 5,000 customers are on the system is provided by Sensus. Although

these installations are generally limited to large commercial and industrial users like

the Sensus/Invensys (London, UK) meters for C&I customers in Monterrey, Mexico,

one ongoing problem with these telephone installations is with the frequent turnover

of occupancy, because changes in telephone numbers cause problems for the system,

The proposed solution is to switch to a simpler RF system for the areas experiencing

high occupancy turnover.

 Rockwell Semiconductor Systems announced full support for Intel's audio/modem

riser (AMR) and mobile daughter card (MDC) specifications with Rockwell's

RipTide audio/modem chipset. Rockwell is believed to be the first chipset company

to back the Intel specifications. Rockwell has introduces the RipTide chipset which

allows OEMs to implement audio and modem functions on the motherboard to lower

costs and provide AMR scalability. Specification is open and Intel is among several

companies participating to support AMR and MDC. The AMR specification provides

upgrade and flexibility with xDSL functionality and Universal Serial Bus (USB)

implementations. The RipTide chipset from Rockwell includes a soft modem and soft

audio provides functionality priced at a relatively low $15 for low volumes since

market introduction in September of 1998. As with other solutions, broadband and

cable have shown vendor special interest and have joined the in the efforts to provide

a feasible, cost effective solution to provide a cost effective solution to the emerging

technology for Rockwell‟s audio /modem riser (amr) solution for AMR emerging

technology solutions.

      Wireless Solutions – cellular, low power radio (Zigbee, Mbus, Zwave)

 Several questions require answers before wireless solutions can be considered. For


          How long will the radio last?

          What is the radio frequency? Consideration must be given to other

           services operating at or neat the frequency the utility meters are using.

          Are the device frequencies configurable and allow frequencies to be


          What type of modulation is being used?

          Are the meter radios upgradeable to allow modifications to an existing

           water/gas/electric meter?

          Does interoperability between different vendor hardware exist to read

           other vendor‟s utility meters?

 As with most utilities, installation of specialized collectors for each utility is the

general solution. Collectors for gas, water and electric wireless mesh networks makes

this solution possible. Retrofitting existing water, gas and electric meters introduces

problems of interoperability whereas consideration of contracting a single vendor

solution for all utilities ensures compatibility and reduces the number collectors and

cost. Ultimately, requirements to configure hardware and software to read other

vendor meters to communicate with one another will reduce the foreseeable problems

introduced by emerging technologies. As with many options that are available,

wireless solutions have definitely found a strong foothold in ICS. It will be interesting

to observe the progression as time elapses since wireless solutions have found a place

in the Smart Metering solutions.

3.0 Vulnerabilities

 Millions of homes and businesses are using smart meters that are riddled with

security bugs that could bring down the power grid. Of particular concern, these new

smart electricity meters are being implemented despite vulnerabilities that can open

the door to power -grid botnets that have been identified in several vendor smart

meter devices. The smart meters provide two-way communications between

electricity users and collection devices that ultimately connect to the power plants that

serve them. Utilities in Seattle, Houston, Miami, and elsewhere are hurriedly

implementing them as part of a plan to make the power grid more efficient. Funded

by billions of dollars from President Obama's economic stimulus package, utility

organizations have continued to install the smart meters. Other organizations

throughout Europe are also spending heavily on the new technology. The problem

becomes evident when meters needed to make the smart grid work are built on buggy

software that's easily hacked. Mike Davis, a senior security consultant for IOActive

has identified several issues with the smart meter software. These issues are critical to

the security of the smart grid with the vast majority of them use no encryption and ask

for no authentication before carrying out sensitive functions. There is no validation or

authentication when performing software updates or severing customers from the

power grid. Mike Davis has said the vulnerabilities are ripe for abuse. The smart

meters have the capability to switch on/off hundreds of thousands of homes at the

nearly the same time. This can introduce problems with the power company being

able to gracefully deal with power demands or surges. The vulnerability in the

devices [17] is susceptible to a worm designed by Mike Davis and the IOActive

colleagues. The worm self-propagates across a large number of one manufacturer's

smart meter. Once the device becomes infected, the device is under the control of the

malware developers similarly to the way infected PCs are under the spell of bot

herders. It is at this point that the attackers can “own” the devices and send

instructions to turn power on or off and divulge power usage statistics or sensitive

system configuration settings. The worm is able to spread quickly and exploits an

automatic update feature in the meter that runs on peer-to-peer technology. The peer-

to-peer technology doesn't use code signing or any other measure to ensure the update

is authorized, but instead uses a routine known as interrupt hooking, which adds

additional code to the device's operating system. There has been no public disclosure

of verified models of smart meters that are designed with these vulnerabilities.

Researchers and engineers decline to identify the models or the manufacturers but

will only elaborate to state that most of the models suffer from the same poor design.

Companies manufacturing the smart meter devices for smart grids include GE

Energy, The ABB Group, Sensus Metering, Itron and Landis+Gyr. The embedded

platforms are not designed for security. One deficiency that has been identified as

common among many of the meters is the use of well-known insecure programming

functions, such as memcpy() and strcpy(). These are two of the most common sources

of exploitable software bugs. In many cases, the devices use general purpose

hardware and software that aren't designed for highly targeted or mission critical

systems. This is the nightmare of the smart grid security initiative. Envision a

malicious hacker that has the unique identifier that's printed on your meter.

 A security company named ControlScan maintains a database listing vulnerabilities

found in the more common problems found in the Internet infrastructure. The

database lists 34,762 total vulnerabilities that have been identified by ControlScan

[14]. This list cannot reflect all the problems in ICS/Internet infrastructure. Section

3.1 Vulnerability Classes [4] attempts to list additional vulnerabilities problems and

potential impact that may not be as obvious as those listed in the ControlScan


 By 2015, utilities in more than two-dozen US states expect to have almost 52

million customers outfitted with the bidirectional smart meters, according to the

Edison Electric Institute, which represents power companies. Some of those

deployments are already completed and many more will be completed in the next few

years. Due consideration must be given to all the issues of ICS/Internet integration.

3.1 Vulnerability Classes

 Definition: A Vulnerability Class is a category of weakness which could adversely

impact the operation of the Smart Grid. A “vulnerability” can be leveraged to cause

disruption or influence the Smart Grid [8].

 Many sources of vulnerability information are used to identify different view-

points. Of these sources, the following are included; NIST 800-82 and 800-53,

OWASP vulnerabilities, CWE vulnerabilities, attack documentation from INL, input

provided by the NIST CSCTG Bottoms-Up group and the NERC CIP standards.

3.1.1 People, Policy & Procedure

 People must be trained to follow the Policy and Procedure by which an organization

operates. They are the documented mechanisms that lay the groundwork for how the

organization will operate, outlines places where a failure in, or lack of, policy and

procedure can lead to a security risk for the organization. Policies and procedures

should be examined closely to ensure that they are consistent with both the business

objectives and with secure operations. The Policy and Procedure process is a critical

component. This process must be done thoroughly and correctly to minimize the

impact of any vulnerability that may exist. Insufficient Identity Validation and Background Checks

      Depth of identity validation/background levels pertains to the individual‟s

       area of responsibility and the level of information they are given access to

      Use of known references and background checking by established groups

       should be implemented Potential Impact

      The human factor is considered the weakest element within any Security


      Validation and background checking are measures that are imperative to be

       able manage this element

      Do not give any one individual the exclusive authority over the organization

3.1.2 Training

 Personnel training in all forms relates to implementing, maintaining, and operating

systems. Everyone will have a clear understanding of the importance of Cyber and

begin to understand the role they play and the importance of each role. The

continuation of efforts to train personnel within the Policy framework to highlight the

Security profile over some identified period of time is always needed for new

procedures, new technologies and re-enforcement of the importance of the cyber

security program. Insufficiently Trained Personnel

      Everyone needs to acquire a level of Security Awareness training

      Degree of this training is varied based on the persons‟ role and technical

       responsibilities for critical assets. Common Problems

      Freely releasing information of someone‟s status, i.e., away on vacation, not

       in today, etc.

      Opening emails and attachments from unknown sources

      Posting passwords for all to see.

      Recording passwords on sticky notes and saving them under the keyboard

      Social Engineering

                                                                           41 Potential Impact

     The social engineering element can, in some cases, give an attacker all the

      visibility, knowledge and opportunity to execute a successful attack

     People potentially can become the greatest vulnerability (disgruntled

      employee, insufficiently trained, employee not knowing boundaries of

      responsibility, etc.)

3.1.3 Inadequate Security Policy

     Vulnerabilities can be due to inadequate policies or the lack of policies

     Policies need to drive operating requirements and procedures Potential Impact

     Security policy must be structured with several key elements

     Must be well understood

     Must be of a practical approach

     Must be well in practice and monitored

     Must be enforceable

     Policies must be flexible enough that they can be continuously improved

3.1.4 Inadequate Privacy Policy

     The privacy policy documents the necessity to protect private personal


     It is necessary to ensure that data is not exposed or shared unnecessarily

                                                                           42 Potential Impact

     Insufficient privacy policies can lead to unwanted exposure of employee,

      customer/client personal information that can lead to both business and

      security risk

3.1.5 Inadequate Patch Management Process

     Must ensure that software and firmware are kept current, or that a proper risk

      analysis and mitigation process is in place when patches cannot be promptly

      installed    Potential Impact

     Missing patches on firmware and software have the potential to present

      serious risk to the affected system

3.1.6 Change and Configuration Management

     Essential to ensure that system configurations are governed appropriately in

      order to maximize overall system reliability.    Common Problems

     Changing software configuration that enables an insecure profiles

     Adding vulnerable hardware

     Changing network configuration that reduces the security profile of the system

     Introduction of tampered devices into the system

     Security organization not having a sign-off approval in the configuration

      management process.

                                                                          43    Potential Impact

      Improperly configured software, systems, and devices added to existing

       systems can lead to insecure configurations and increased risk of vulnerability

3.1.7 Unnecessary System Access

      It needs to be very clear that only access and information is granted on an as

       need basis

      Access needs to be well controlled and monitored

      Access is dependent on the access requirement and level of impact that access

       could have on an organization

3.1.8 Risk Management

 Deficiencies in a risk management program can lead to vulnerabilities at the

business decision-making layer and technical layer. Inadequate Periodic Security Audits

      Conduct independent security audits to review and examine a system‟s

       records and activities to determine the adequacy of system controls and ensure

       compliance with established security policy and procedures

      Conduct audits to detect breaches in security services and recommend

       changes, which may include making existing security controls more robust

       and/or adding new security controls

      Audits should not completely rely on interviews with the systems


                                                                           44 Potential Impact

      The Audit process is the only true measure to continuously evaluate the status

       of the implemented Security Program, from conformance to policy, the need

       to enhance both policy and/or procedures and evaluate security robustness of

       your implemented security technologies

3.1.9 Inadequate Security Oversight by Management

A security and disaster recovery plan must be approved before a disaster happens. It

is of no use to attempt to recover from a disaster after the fact.

      Define clear Senior Management ownership of a Security program

      Otherwise, the event of a policy being compromised or abused becomes

    almost impossible to enforce. Potential Impact

      Requires the crossing of many organization operating groups within a security

       program to have impact on the many business areas.

      Requires an element of Human Recourses and legal involvement.

      The ownership and oversight must be established at the senior management

       executive level within an organization

3.1.10 Inadequate Continuity of Operations or Disaster Recovery


      Ensure various plant/system disaster recovery plans that are in place

      Highlight within their elements a cyber related incident recovery process

      Must ensure recovery elements are the focus on a cyber incident recovery

     Add steps to validate backups, ensure devices being recovered are clean

      before installing the backups, perform incident reporting and reviews, etc. Potential Impact

     Longer than required of a possible plant or operational outage

3.1.11 Inadequate Risk Assessment Process

    Ensure proper evaluation of risk

    Documented the assessment process

    Include consideration of business objectives Common Example

     The NERC Critical Asset identification process Potential Impact

     Inadequate or lack of assessment processes can lead to decisions made

      without basis in actual risk.

3.1.12 Inadequate Risk Management Process

     Unmanaged risk leads to unmanaged vulnerabilities

     All systems must be assessed Potential Impact

     Unmanaged risk and/or vulnerabilities can be exploited on affected systems

3.1.13 Inadequate Incident Response Process

     Require an adequate process to ensure proper notification and action in the

      event of an incident.

                                                                          46 Potential Impact

      Response-time critical actions may not be completed in a timely manner.

      May lead to increased duration of exposure.

3.1.14 Platform Software/Firmware Vulnerabilities

 Errors or oversights in software and firmware design, development, and deployment

may result in unintended functionality that allows attackers to compromise the

confidentiality, integrity and availability of information or system. New instances of

software and firmware vulnerabilities are discovered daily.

3.1.15 Software Development

 Applications being developed for use in the Smart Grid should use the Secure

Software Development Lifecycle. Otherwise, vulnerabilities could arise from a lack

of oversight in this area that may lead to poor code implementation that may lead to

many vulnerabilities.

3.1.16 Code Quality Vulnerability

 Poor code quality results in unpredictable behavior. From a user's perspective that

often manifests itself as poor usability. It provides an opportunity for an attacker to

stress the system in unexpected ways. Common Problems

      Double Free

      Failure to follow guideline/specification

      Leftover Debug Code

  Memory leak

  Null Dereference

  Poor Logging Practice

  Portability Flaw

  Undefined Behavior

  Uninitialized Variable

  Unreleased Resource

  Unsafe Mobile Code

  Use of Obsolete Methods

  Using freed memory

3.1.17 Arbitrary Code Execution and Authentication Vulnerability

 Authentication is critical in the process of proving an identity to a system.

Authentication should be required for users, applications, and devices. This class of

vulnerability leads to authentication bypass or other circumvention/manipulation of

the authentication process. Common Problems

    Confidence tricks

    Remote technical tricks

    Local technical tricks

    Victim mistakes

    Implementation oversights

    Denial of service attacks

        Enrollment attacks (OWASP page “Comprehensive list of Threats to

         Authentication Procedures and Data”)

        Allowing password aging

        Authentication Bypass via Assumed-Immutable Data

        Empty String Password

        Failure to drop privileges when reasonable

        Hard-Coded Password

        Not allowing password aging

        Often Misused: Authentication

        Reflection attack in an auth protocol

        Unsafe Mobile Code

        Using password systems

        Using referrer field for authentication or authorization

        Using single-factor authentication Potential Impact

        Access granted without official or valid permission

3.1.18 Authorization Vulnerability

 It is critical in the authorization process to assign correct system permissions to an

authenticated entity. This vulnerability allows authenticated entities the ability to

perform actions which policy does not allow. Common Problems

         Code Permission Vulnerability

      Access control enforced by presentation layer

      File Access Race Condition: TOCTOU

      Least Privilege Violation

      Often Misused: Privilege Management

      Using referrer field for authentication or authorization

      Insecure direct object references

      Failure to restrict URL access

3.1.19 Cryptographic Vulnerability

 Cryptography uses mathematical principles to hide information from unauthorized

parties. The process of cryptography must ensure the information is unchanged, and

the intended party can verify the sender. Exploits of this vulnerability can allow an

attacker to view, modify or forge encrypted data, or impersonate another party

through digital signature abuse. Common Problems

      Algorithm problems

      Key management problems

      Random number generator problems

      Addition of data-structure sentinel

      Assigning instead of comparing

      Comparing instead of assigning

      Deletion of data-structure sentinel

      Duplicate key in associative list

      Failure to check whether privileges were dropped successfully
    Failure to de-allocate data

    Failure to provide confidentiality for stored data

    Guessed or visible temporary file

    Improper cleanup on thrown exception

    Improper error handling

    Improper temp file opening

    Incorrect block delimitation

    Misinterpreted function return value

    Missing parameter

    Omitted break statement

    Passing mutable objects to an un-trusted method

    Symbolic name not mapping to correct object

    Truncation error

    Undefined Behavior

    Uninitialized Variable

    Unintentional pointer scaling

    Use of sizeof() on a pointer type

    Using the wrong operator

3.1.20 Environmental Vulnerability

 This vulnerability includes everything that is outside of the source code. The

environment is critical to the security of the product.

    ASP.NET Misconfiguration

    Empty String Password

    Failure of true random number generator

    Information leak through class cloning

    Information leak through serialization

    Insecure Compiler Optimization

    Insecure Transport

    Insufficient Session-ID Length

    Insufficient entropy in pseudo-random number generator

    J2EE Misconfiguration: Unsafe Bean Declaration

    Missing Error Handling

    Publicizing of private data when using inner classes

    Relative path library search

    Reliance on data layout

    Relying on package-level scope

    Resource exhaustion

    Trust of system event data

3.1.21 Error Handling Vulnerability

 Error handling refers to the way an application deals with unexpected

syntactical or logical error conditions. This vulnerability can provide a

means for attackers to use error handling to access unintended

information or functionality.

                                                               52 Common Problems

        ASP.NET Misconfiguration

        Catch NullPointerException

        Empty Catch Block

        Improper cleanup on thrown exception

        Improper error handling

        Information Leakage

        Missing Error Handling

        Often Misused: Exception Handling

        Overly-Broad Catch Block

        Overly-Broad Throws Declaration

        Return Inside Finally Block

        Uncaught exception

        Unchecked Error Condition

3.1.22 General Logic Error

 Logic errors are programming errors can allow an application to operate incorrectly

without crashing.       This vulnerability includes several types that have security

implications. Common Problems

         Addition of data-structure sentinel

         Assigning instead of comparing

         Comparing instead of assigning

   Deletion of data-structure sentinel

   Duplicate key in associative list

   Failure to check whether privileges were dropped successfully

   Failure to deallocate data

   Failure to provide confidentiality for stored data

   Guessed or visible temporary file

   Improper cleanup on thrown exception

   Improper error handling

   Improper temp file opening

   Incorrect block delimitation

   Misinterpreted function return value

   Missing parameter

   Omitted break statement

   Passing mutable objects to an untrusted method

   Symbolic name not mapping to correct object

   Truncation error

   Undefined Behavior

   Uninitialized Variable

   Unintentional pointer scaling

   Use of sizeof() on a pointer type

   Using the wrong operator

   Business logic flaw

3.1.23 Input and Output Validation

 Input validation ensures that the user-supplied content contains only expected

information. Input validation requires caution, because of the wide assortment of

potential exploitation methods. Validate external input to ensure an attacker cannot

exploit this process with unintended functionality and the execution of arbitrary code. Common Problems

    Buffer Overflow

    Format String

    Improper Data Validation

    Log Forging

    Missing XML Validation

    Process Control

    String Termination Error

    Unchecked Return Value: Missing Check against Null

    Unsafe JNI

    Unsafe Reflection

    Validation performed in client

    Unvalidated redirects and forwards

3.1.24 Logging and Auditing Vulnerability

 Logging and auditing are common system and security functions used for system

management, event identification, and event reconstruction. These functions can

cause issues that either aid in an attack or increase the likelihood of its success due to

logging and auditing. Common Problems

    Addition of data-structure sentinel

    Log Corruption

    Lack of Regular Log Review

    Information Leakage

    Log Forging

    Log injection

    Poor Logging Practice

    Cross-site scripting via HTML log-viewers

3.1.25 Password Management Vulnerability

 Passwords are the most commonly used form of authentication. Mistakes in

handling passwords may allow an attacker to obtain or successfully guess them. Common Problems

    Allowing password aging

    Empty String Password

    Hard-Coded Password

    Not allowing password aging

    Password Management: Hardcoded Password

    Password Management: Weak Cryptography

    Password Plaintext Storage

        Password in Configuration File

        Using password systems

3.1.26 Path Vulnerability

 Dynamically construction of a file path using invalidated user input can allow

attackers to access files that are not intended to be accessed. Common Problems

         Path Traversal Attack

         Relative Path Traversal Attack

         Virtual Files Attack

         Path Equivalence Attack

         Link Following Attack

         Virtual Files Attack

3.1.27 Protocol Errors

 Protocol communication rules can introduce security issues during protocol design. Common Problems

         Failure to add integrity check value

         Failure to check for certificate revocation

         Failure to check integrity check value

         Failure to encrypt data

         Failure to follow chain of trust in certificate validation

         Failure to protect stored data from modification

         Failure to validate certificate expiration
          Failure to validate host-specific certificate data

          Key exchange without entity authentication

          Storing passwords in a recoverable format

          Trusting self-reported DNS name

          Trusting self-reported IP address

          Use of hard-coded password

          Insufficient transport layer protection

          Use of weak SSL/TLS protocols

          SSL/TLS key exchange without authentication

          SSL/TLS weak key exchange

          Low SSL/TLS cipher strength Potential Impact

          Compromise of security protocols such as TLS

3.1.28 Range and Type Error Vulnerability

  Various types of range and type errors are common programming mistakes that can

 have potential security consequences. Common Problems

         Access control enforced by presentation layer

         Buffer Overflow

         Buffer underwrite

         Comparing classes by name

         Deserialization of untrusted data
   Doubly freeing memory

   Failure to account for default case in switch

   Format String

   Heap overflow

   Illegal Pointer Value

   Improper string length checking

   Integer coercion error

   Integer overflow

   Invoking untrusted mobile code

   Log Forging

   Log injection

   Miscalculated null termination

   Null Dereference

   Often Misused: String Management

   Reflection injection

   Sign extension error

   Signed to unsigned conversion error

   Stack overflow

   Truncation error

   Trust Boundary Violation

   Unchecked array indexing

   Unsigned to signed conversion error

   Using freed memory

     Validation performed in client

     Wrap-around error

     Cardinality incorrect

     Value integrity modification

     Sequencing or timing error

3.1.29 Sensitive Data Protection Vulnerability

  This protection vulnerability can lead to insecure sensitive data that includes

confidentiality and integrity of data during its whole lifecycles which includes storage

and transmission.

  It should be noted this vulnerability is different from access control problems

although both fail to protect data appropriately. Normally, the goal of access control

is to grant data access to some users but not others. Sensitive Data Protection is

concerned about the protection of sensitive data that is not intended to be revealed to

or modified by any application or users. This sensitive data includes cryptographic

keys, passwords, security tokens or any information that an application relies on for

critical decisions. Common Problems

     Information leakage results from insufficient memory clean-up

     Inappropriate protection of cryptographic keys

     Clear-text Passwords in configuration files

     Lack of integrity protection for stored user data

     Hard-Coded Password

    Heap Inspection

    Information Leakage

    Password Management: Hardcoded Password

    Password Plaintext Storage

    Privacy Violation

3.1.30 Session Management Vulnerability

Session management involves how a client and server connect, maintain, and close a

connection. Vulnerabilities resulting from poor session management are primarily an

issue with Web interfaces. Common Problems

    Applications should NOT use as variables any user personal information (user

     name, password, home address, etc.).

    Highly protected applications should not implement mechanisms that make

     automated requests to prevent session timeouts.

    Highly protected applications should not implement "remember me"


    Highly protected applications should not use URL rewriting to maintain state

     when cookies are turned off on the client.

    Applications should NOT use session identifiers for encrypted HTTPS transport

     that have once been used over HTTP.

    Insufficient Session-ID Length

    Session Fixation

     Cross site request forgery

     Cookie attributes not set securely (e.g. domain, secure and HTTP only)

     Overly long session timeout

3.1.31 Concurrency, Synchronization and Timing Vulnerability

  Concurrency, synchronization and timing vulnerabilities pertain to the order of

events in a complex computing environment. Timing issues can affect security, most

often dealing with multiple processes or threads which share some common

resources, i.e., file, memory, etc. Common Problems

     Capture-replay

     Covert timing channel

     Failure to drop privileges when reasonable

     Failure to follow guideline/specification

     File Access Race Condition: TOCTOU

     Member Field Race Condition

     Mutable object returned

     Overflow of static internal buffer

     Race Conditions

     Reflection attack in an auth protocol

     State synchronization error

     Unsafe function call from a signal handler

3.1.32 Insufficient Safeguards for Mobile Code

 Allowing mobile code generally increases attack surface from programming

instructions transferred from client to server that execute on the client machine

without the user explicitly initiating that execution.. The execution of mobile code

includes issues that permit the execution of unsafe mobile code. Common Problems

    VBScript, JavaScript and Java sandbox container flaws

    Insufficient scripting controls

    Insufficient code authentication

3.1.32 Buffer Overflow

 Attackers could exploit Buffer Overflows to perform various attacks. A buffer

overflow condition exists when a program copies the buffer without checking its

length and attempts to put more data in a buffer than it can hold, or when a program

attempts to put data in a memory area outside of the boundaries of a buffer. The

existence of a classic Buffer Overflow strongly suggests that the programmer does

not even consider the most basic of security protections. Common Problems

    CVE-1999-0046 - buffer overflow in local program using long environment


    CVE-2000-1094 - buffer overflow using command with long argument

    CVE-2001-0191 - By replacing a valid cookie value with an extremely long

     string of characters, an attacker may overflow the application's buffers.

      CVE-2002-1337 - buffer overflow in comment characters, when product

       increments a counter for a ">" but does not decrement for "<"

      CVE-2003-0595 - By replacing a valid cookie value with an extremely long

       string of characters, an attacker may overflow the application's buffers.[17]

3.1.33 Mishandling of Undefined, Poorly Defined, or “Illegal”


 Some Incident Command Systems (ICS) implementations are vulnerable to packets

that are malformed or contain illegal or otherwise unexpected field values (SP 800-


3.1.34 Use of Insecure Protocols

 Protocols are expected patterns of behavior that allow communication among

computing resources. Protocols must account for sufficiently considered security

during the development process. Common Problems

      Distributed Network Protocol (DNP) 3.0, Modbus, Profibus, and other protocols

       are common across several industries and protocol information is freely

       available. These protocols often have few or no security capabilities built in (SP


      Use of clear text protocols such as FTP and Telnet

      Use of proprietary protocols lacking security features

3.1.35 Weaknesses that Affect Files and Directories

 Weaknesses in this category affect file or directory resources. Common Problems

        UNIX Path Link Problems

        Windows Path Link Problems

        Windows Virtual File Problems

        Mac Virtual File Problems

        Failure to Resolve Case Sensitivity

        Path Traversal

        Failure to Change Working Directory in chroot Jail

        Often Misused: Path Manipulation

        Password in Configuration File

        Improper Ownership Management

        Improper Resolution of Path Equivalence

        Information Leak Through Server Log Files

        Files or Directories Accessible to External Parties

        Improper Link Resolution Before File Access ('Link Following')

        Improper Handling of Windows Device Names

         Improper Sanitization of Directives in Statically Saved Code ('Static Code


3.1.36 API Usage and Implementation and Abuse

 An API is a contract between a caller and a callee. The most common forms of API

abuse are caused by the caller failing to honor its end of this contract. Common Problems

       If a program fails to call chdir() after calling chroot(), it violates the contract

   that specifies how to change the active root directory in a secure fashion. Another

   problem with library abuse is expecting the callee to return trustworthy DNS

   information to the caller. In this case, the caller abuses the callee API by making

   certain assumptions about its behavior (that the return value can be used for

   authentication purposes). Am attacker can also violate the caller-callee contract

   from the other side if a coder subclasses SecureRandom and returns a non-random

   value, the contract is violated.

       Dangerous Function

       Directory Restriction Error

       Failure to follow guideline/specification

       Heap Inspection

       Ignored function return value

       Object Model Violation: Just One of equals() and hashCode() Defined

       Often Misused: Authentication

       Often Misused: Exception Handling

       Often Misused: File System

       Often Misused: Privilege Management

       Often Misused: String Management
3.1.37 Use of Dangerous API

 Security can be compromised with the use of an application programming interface

(API) which is inherently dangerous or fraught with error. Common Problems

      Dangerous Function such as the C function gets()

      Directory Restriction Error

      Failure to follow guideline/specification

      Heap Inspection

      Insecure Temporary File

      Object Model Violation: Just One of equals() and hashCode() Defined

      Often Misused: Exception Handling

      Often Misused: File System

      Often Misused: Privilege Management

      Often Misused: String Management

      Unsafe function call from a signal handler

      Use of Obsolete Methods

3.1.38 Platform Vulnerabilities

 Definition: Platforms are defined as the software and hardware units, or systems of

software and hardware, that are used to deliver software based services. The platform

comprises the software, the operating system used to support that software, and the

physical hardware.

  Vulnerabilities in this part of the Smart Grid network are due to the complexities of

architecting, configuring, and managing the platform itself. Vulnerable platform

areas include the security architecture and design, inadequate malware protection

against malicious software attacks, software vulnerabilities due to late or nonexistent

software patches from software vendors, an overabundance of file transfer services

running, and insufficient alerts from log management servers and systems.

3.1.39 Inadequate Security Architecture and Design

  Inadequate Security Architecture and Design is more of a cause of vulnerabilities

than vulnerability in itself.

3.1.40 Inadequate Malware Protection

  Malicious software can result in performance degradation, loss of system

availability, and the capture, modification, or deletion of data. To prevent systems

from being infected by malicious software, malware protection software, such as

antivirus software, is needed.

    3.1.41      Common Problems

       Malware protection software not installed

       Malware protection software or definitions not current

       Malware protection software implemented without exhaustive testing

3.1.42 Installed Security Capabilities Not Enabled by Default

  If protections are not enabled, the system may be unexpectedly vulnerable to


       Security capabilities must be turned on to be useful
       Administrators must ensure that protections are configured and enabled

3.1.43 Absent or Deficient Equipment Implementation Guidelines

 Unclear implementation guidelines can lead to unexpected behavior. Different

inputs and outputs, both logical and physical, will have different security properties.

       Both hardware and software to be configured correctly if it is to provide the

        desired security properties.

       Guidelines for installers, operators and managers must be clear about the

        security properties and how the system is to be implemented and configured

3.1.44 Lack of Prompt Security Patches from Software Vendors

 Administrators may be faced with the alternatives of taking a system offline or

leaving it vulnerable as zero-day exploits become more widespread. When

vulnerability is disclosed there will be a race between hackers to exploit and

“patchers” to close the loophole.

       The security of the system crucially depends on vendors‟ ability to provide

        patches in a timely manner and on the administrators‟ ability to implement

        those patches

3.1.45 Unneeded Services Running

 Many Operating Systems are shipped and installed with a number of services

running by default. Every service that runs is a security risk, partly because intended

use of the service may provide access to system assets, and partly because the

implementation may contain exploitable bugs.

       Services should only run if needed

       Unneeded services are a vulnerability with no benefit Common Problems

       UNIX servers may install FTP, TELNET, and HTTP by default Potential Impact

       Each of these services can be exploited to gain access to system resources

 3.1.46 Insufficient Log Management

 Events from all devices should be logged to a central log management server and

configured according to the criticality of the event or a correlation of certain events.

An alert should be raised to the appropriate personnel when;

       the tamper detection mechanism on a device is triggered

       when a threshold is reached on meters issuing a remote power disconnect

        command within a certain time frame. Common Problems

       Inadequate network security architecture (800-82 3-8)

       Poorly configured security equipment (SP 800-82 3-8)

       Inadequate firewall and router logs (800-82 3-11)

       No security monitoring on the network (800-82 3-11)

       Critical monitoring and control paths are not identified (800-82 3-12)

                                                                            70 Potential Impact

       Failure to detect critical events

       Removal of Forensic Evidence

       Log Wipes

3.1.47 Inadequate Anomaly Tracking

  Alerts and logging are useful techniques for detecting and mitigating the risk of

anomalous events. Reaction to an event will vary according to the critical nature of

the event or a correlation of certain events. Alerts and logging can present security

risks or become vulnerabilities if not done carefully.

      A central logging facility may be necessary for correlating events, with

       policies for appropriate event reactions

      A policy should include automatic paging of relevant personnel in the event

       of persistent tamper messages

      Another case may involve positive acknowledgement to indicate supervisory

       approval of a potentially disruptive

3.1.48 Network

 Definition: Networks are connections between multiple locations, organizational

units comprised of many differing devices using similar protocols and procedures to

facilitate a secure exchange of information.

  Vulnerabilities and risks occur within smart grid networks when policy

management and procedures do not conform to required standards and compliance

polices. Network areas susceptible to risk with policy and compliance impacts are:

data integrity, security, protocol encryption, authentication, and device hardware.

3.1.49 Inadequate Integrity Checking

 The integrity of a message protocol and message data should be verified before

routing or processing. This should be done before any application attempts to use the

data for internal processes or routing to another device. Special security devices

acting as application level firewalls should be used as logical bounds checking to

prevent the shutdown of all power across an entire NAN. Most functions of the smart

grid, such as Demand Response, Load Shedding, AMR, ToU, and Distribution

Automation require that data confidentiality and/or data integrity be maintained to

ensure grid reliability, prevent fraud, and for reliable auditing. Failure to apply

integrity and confidentiality services can result in exploitation of vulnerabilities that

expose sensitive customer data, unauthorized modification of telemetry data, perform

transaction replay, and audit manipulation. Devices that do not conform to the

protocol or message standard should not act on such traffic. Common Problems

      Lack of integrity checking for communications (800-82 3-12)

      Failure to detect and block malicious traffic in valid communication channels

      Inadequate network security architecture (800-82 3-8)

      Poorly configured security equipment (800-82 3-8)

      No security monitoring on the network (800-82 3-11)

                                                                             72        Potential Impact

      Compromise of smart device, head node, or utility management servers.

      Buffer Overflows

      Covert Channels

      MitM

      DoS / DDoS

3.1.50 Inadequate Network Segregation

 Network architecture commonly lacks defining security zones and controlling

traffic between security zones. Flat networks that allow traffic from any portion of

the network to communicate with any other portion of the network can be

compromised. Smart Grid problems can arise from the failure to install a firewall to

control traffic between a head node and the utility company or failure to prevent

traffic from one NAN to another NAN. Common Problems

      Failure to Define Security Zones

      Failure to Control traffic between Security Zones

      Inadequate Firewall Ruleset

      Firewalls nonexistent or improperly configured (800-82 3-10)

      Improperly Configured VLAN

      Inadequate access controls applied (800-82 3-8)

      Inadequate network security architecture (800-82 3-8)

      Poorly configured security equipment (800-82 3-8)

      Control networks used for non-control traffic (800-82 3-10)

      Control network services not within the control network (800-82 3-10)

      Critical monitoring and control paths are not identified (800-82 3-12) Potential Impact

      Direct compromise of any portion of the network from any other portion of

       the network

      Compromise of the Utility network from a NAN network

      VLAN Hopping

      Network Mapping

          Service/Device Exploit

          Covert Channels

          Back Doors

          Worms and other malicious software

3.1.51 Inappropriate Protocol Selection

 The use of clear text protocols may permit attackers to perform session hijacking

and man-in-the-middle attacks. Authentication keys and data payload can be exposed

by the use of unencrypted network protocols or weakly encrypted network protocols.

This may allow attackers to obtain credentials and access other devices in the network

to decrypt encrypted traffic using those same keys. It should be noted that the use of

encryption is not always the appropriate choice.           Information management

capabilities are lost through the use of encryption and should be studied carefully

before encrypting is implemented. Encryption should not be implemented unless

absolutely necessary. Common Problems

      Standard, well-documented communication protocols are used in plain text in

       a manner which creates a vulnerability.(800-82 3-12)

      Inadequate data protection between clients and access points (800-82 3-13) Potential Impact

      Compromise of all authentication and payload data being passed

      Session Hijacking

      Authentication Sniffing

      MitM Attacks

      Session Injection

3.1.52 Weaknesses in Authentication Process or Authentication Keys

  Authentication mechanism does not sufficiently authenticate devices or exposes

authentication keys to attack. Common Problems

      Inappropriate Lifespan for Authentication Credentials/Keys

      Inadequate Key Diversity

      Authentication of users, data or devices is substandard or nonexistent

       (800-82 3-12)

      Insecure key storage

      Insecure key exchange
      Insufficient account lockout

      Inadequate authentication between clients and access points (800-82 3-13)

      Inadequate data protection between clients and access points (800-82 3-13) Potential Impact

      DoS / DDoS

      MitM

      Session Hijacking

      Authentication Sniffing

      Session Injection

3.1.53 Insufficient Redundancy

 Smart Grid infrastructure architecture does not provide for sufficient redundancy

exposing the system to intentional or unintentional denial of service. Common Problem

      Lack of redundancy for critical networks (800-82 3-9) Potential Impact

      Denial of Service (DoS / DDoS)

3.1.54 Physical Access to the Device

 Access to physical hardware must carefully be limited to essential personnel.

Physical access to smart grid devices should be limited according to the criticality or

sensitivity of the device. Physically locking Smart Grid devices in some secure

building or container is preferred, where practical. In other circumstances, tamper
resistance, tamper detection, and intrusion detection and alerting should be used to

physically secure devices. Common Problems

         Unsecured physical ports

         Inadequate physical protection of network equipment (800-82 3-9)

         Loss of environmental control (800-82 3-9)

         Non-critical personnel have access to equipment and network connections

          (800-82 3-9) Potential Impact

         Malicious Configurations

         MitM

         EEPROM Dumping

         Micro Controller Dumping

         Bus Snooping

         Key Extraction

3.2       Vulnerabilities Ignored

 As the smart grid progresses, a new era of problems and issues arise. Concerns

about security have been ignored since the urgency to upgrade has only increased

since the passage of Barack Obama's stimulus package. Without much doubt the

iconic image of what a smarter grid will mean is the smart meter. There have been

billions of dollars reserved for smart-grid spending. Utilities companies must meet

aggressive deadlines to qualify only to have companies' upgrade plans accelerated

with no regard whatsoever to security. Mike Davis of IOActive's security consultant
group has said that before the incentives were announced, several utilities approached

him and asked if he would perform penetration tests on meters they planned to roll

out. "As soon as the stimulus bill came out, everybody just clammed up," he said. "It's

almost impossible for us to get new devices to look at now". Utilities are essentially

responsible for policing themselves. History appears to repeat itself with the similar

regulatory arrangement of the credit card industry, in which merchants are required to

comply with rules set by other companies in the industry. Additionally, the history of

the staggering growth of the Internet and the inherent security problems is all the

more reason to proceed with security standards, especially in a critical system such as

the power grid. With a grid-burrowing worm [17] that replicates quickly and

possesses the ability to issue high-level commands, it becomes a certainty that the

vulnerability will be exploited. Obviously, rebuilding the electrical transmission

smart grid with smart meters will require fundamental regulatory reform at all levels,

especially when entrepreneurs, operators, and regulators to bend and stretch rules

almost to the breaking point. Radical reform of management and regulation will be

required if the smart grid is ever implemented with the critical security strategy that is

being ignored. Earlier this year, the U.S. stimulus legislation adopted allocations of

$4.5 billion in grants for Smart grid projects, $6 billion to support loan guarantees of

$50-60 billion for renewable energy and transmission, and $6.5 billion in loan

guarantees for the Bonneville Power Administration (BPA) and the Western Area

Power Administration (WAPA) to expand transmission to accommodate renewably

generated energy.

3.3 The Need for Regulation and Management

 On June 18, 2009 the National Institute of Standards and Technology (NIST) were

scheduled to issue a draft on Smart Grid Interoperability Standards Framework in

September, 2009. Perhaps this is the beginning of the critical need for regulation and

management of the power grid. Only then can the power industry avoid problems

similar to those experienced in the unregulated staggering growth of the Internet, the

inter-state highway industry, and private power organizations such as the Newton,

Mass.-based First Wind Power Company. The Maine Public Service Company (MPS)

informed the First Wind generator company that it could no longer accommodate the

generated power from the wind farm. Although there is no direct connection to the

smart grid, First Wind exports the power to Canada. Canada then exports it right back

to power lines in New England in an awkward and peculiar solution. Regulation and

Management may have been able to avoid this type of situation. However, the need to

regulate and manage can become a downfall. Several examples of regulatory mistakes

can be discussed. History reveals the problems.

 The transcontinental railroad was completed in May 1869. For over 20 years the

railways were built out for the main line. In 1886, The Sears Catalog Company began

to capitalize on this railway with 2-page flyers sent all over the country. By 1895,

large Sears Roebuck catalogs were sent. This railway infrastructure enabled Sears

Roebuck to undercut the prices of general stores. Sears dominated the mail order

retailing industry for approximately 50 years by taking advantage of the new way to

connect to customers, conduct commerce, and introduce a new competitive

advantage. Perhaps Smart meter vendors can capitalize on the demand for Smart

Meters. There will be a great demand since the United States has only completed

about 5 percent of the upgrade to the power grid.

  Another example in contrast is the telecommunications network industry.

Regulation and incentives basically had the industry at a standstill for nearly 30 years.

In 1982, the Telecommunications Act was enforced in 1984. Investors ventured into

the market and within a few years, new digital products were rolled out that included

cell phones, Blackberries, iPhones, MP3 players and a whole host of Personal Digital

Assistants (PDAs). Too much regulation can be a bad thing. By opening up the

infrastructure to innovation, rapid development and progress can be realized. Several

thousand jobs are created and billions in revenue can be realized.

  Finally, a few words about the Internet should be discussed. In its infancy, there

were no real regards for security, future growth, performance, scalability and

reliability. There was no real planning or enforced regulation in the infancy of the

Internet. No one could have predicted what the Internet was to become. With

estimations of up to 60 times additional cost incursions to correct problems after the

fact, it is a hard lesson learned. Although there is a whole wealth of information that

can be related to the need for regulation on the Internet, and although there is an

extreme large amount of information about the management aspect, history shows

that as the Internet grew at alarming rates with little or no regulation or management

and has been a disaster in terms of cost. Patching up a network infrastructure with

security after the fact has a cost associated with it that is staggering.

  With at least $20 billion at stake, and another $100 billion by the year 2030, all

entities must recognize the vital role of the Smart Grid. It is the grid that makes the

connections to tie everything together and it is the Smart Grid that is so far behind the

rest of the international community that steps need to be taken to catch up.

3.4     Vulnerabilities in Smart Meters

  History has taught us that early-to-market technologies are often ideal targets for

malicious attacks because of the inherent vulnerabilities that are commonly

introduced in new products. Shown in figure 6.2 is a retrofitted power meter with a

Programmable Logic Controller (PLC) Circuit board. Technology solutions for the

smart grid continue to evolve and high speed PLC chips offer alternatives for

retrofitting meters at list price of $8.50 per unit. The low price of the retrofit module

may have a high cost in the sense of a security breach. For a determined hacker,

information on the programming code, OS, vulnerabilities‟ and exploit techniques are

available from a variety of sources. The determined hacker can be successful in

exploiting these vulnerable meters. All PLC deployments will require some network

infrastructure equipment and are therefore vulnerable in a variety of ways. Figure 6.5

shows the block diagram of the PLC with network interfaces.

  The Smart Grid utility infrastructure shows promise to save money and resources

while providing better accounting of energy usage. Energy distribution and

transmission is becoming as technologically sophisticated as the rest of the Internet

and it is critical to fully examine the implications and risks of the Smart Grid and its

component parts. A quote from a recent presentation to the Committee of Homeland

Security summed up the problem.

  "The Smart Grid infrastructure promises to deliver significant benefits for many

generations, but first we need to address its inherent security flaws. Based on our

research and the ability to easily introduce serious threats, we believe that the relative

security immaturity of the Smart Grid and AMI markets warrants the adoption of

proven industry best practices, including the requirement of independent third-party

security assessments of all Smart Grid technologies that are being proposed for

deployment in the Nation's critical infrastructure. We are also recommending that the

Smart Grid industry follow a proven formal Security Development Lifecycle, as

exemplified by Microsoft's Trustworthy Computing initiative of 2001, to guide and

govern the future development of Smart Grid technologies."

  This is a quote from Joshua Pennell, President and founder of IOActive in a

presentation to the Committee of Homeland Security and DHS on March 16, 2009.

  It certainly seems like the quote from Joshua Pennel has defined the problem and

provided the solution. As the effort moves forward, adherence to regulations and

guidelines will be critical. There is also the problem of existing vulnerable smart

meters that have already been implemented that will require expedited action.

Undoubtedly, following a proven Security Development Lifecycle will provide the

needed regiment to properly build a secure smart grid.

  The smart grid reaps the benefits of distributed computing and fault-tolerant

communications. It delivers real-time information and enables near-instantaneous

balance of supply and demand at the device level. A critical component of the Smart

Grid is the Advanced Metering Infrastructure (AMI), or smart meter network, which

acts as both a distribution point and an endpoint for communication and sensor nodes.

The meters include a wireless network interface and mesh networking software which

provides a two-way flow of electricity and information. Smart meters monitor

everything from power plants to customers‟ individual appliances. This capability

enables utility companies to automatically update the software running the devices

and allows them to remotely disconnect and shut off a customer‟s electricity over the

network. There are over two million smart meters in use in

 the US today with an estimated 73 participating utilities with orders of17 million

additional smart meter devices, fueled by the recently-approved $4.5 billion economic

stimulus package that is pushing many utility companies to roll out the devices at a

staggering pace.      As the grid grows and matures, a new frontier for cyber-

attackers is identified. The history of the internet has demonstrated that malicious

users will find and exploit vulnerabilities to wreak havoc and make money, so it is

critical to develop and enforce strict privacy controls. Terrorists can and will target

weaknesses in the Smart Grid to shut off power to large areas in demand for ransom

from the utility. Petty criminals can and will exploit weaknesses to disconnect power

to individual homes in order to break into the residence or to simply to be a nuisance.

Whatever the reason, the Smart Grid must be protected from the vulnerabilities.

 Although many benefits can be reaped from the smart grid, there are the many

negative aspects introduced from the similarity of the infrastructure of the Internet.

Smart meters are essentially mini-computers that lack the protection to ensure

security. Extensive research has revealed a range of vulnerabilities and programming

errors. Many of the smart meters are vulnerable to common attack techniques,

including buffer overflows, and persistent and non-persistent root kits that could be

assembled into self-propagating malicious software. An alarming vulnerability is that

the smart meter‟s chipset used for radio communication is publicly available in a

developer kit. Malicious code execution on standard smart meters can be achieved

and the radio interface‟s lack of authentication can be exploited to produce a worm

[17]. A malicious program on one meter, could issue commands to the internal

firmware on adjacent meters until all devices within an area were infected with the

malicious firmware. The worm, once executed can:

       Connect             and            disconnect            customers             at

        predetermined times

       Change metering data and calibration constants

       Change the meter's communication frequency

     Render the meter non-functional

  In a worst-case scenario, normal wireless update mechanisms would fail, the meters

calibration would be changed, and services to customers‟ homes could be

disconnected with the remote disconnect capability. To recover, the utility company

needs to take time to understand the vulnerability and develop a patch, update the

meter and then restore power to the customer. For the best case scenario, the utility

company would simply push a firmware update across the wireless network to all the

affected meters and overwrite the worm to return the meters to normal operation, that

is, if the remote flashing capability has not been compromised. It is interesting to note

that IOActive performed “black-box” penetration testing on smart meters with “zero

knowledge”. Testing is done with an attack by someone with no detailed knowledge

about the device, the electronics or functionality. The objective is to breach the

devices and obtain binary level code execution capability. The process is performed

to breach the devices. Several strategies are used that include modeling and exploring

potential attack vectors; reverse engineering device binaries; deeply inspecting

hardware and software functions; and use fuzzing protocol segment executions.

Research was conducted in a controlled lab environment. Modeling was conducted to

demonstrate the severity of a worm attack in the real world. Mike Davis, an

IOActive‟s Senior Security Consultant, simulated a 22,000-node smart meter worm

propagation scenario with real-life variables using GPS points created from geo-

coded home addresses. The simulation is run with parameters that would affect a

worm attack including the radio range, signal strength, radio noise, and Smart Grid

network packet collisions. The simulation period showed that approximately 85% of

homes would be infected with the worm in 24 hours. The simulation illustrates

vulnerabilities in software and firmware.

 Determined attackers have an easier time attacking Smart Meters since no real

consideration for physical security has been implemented. The meters can be stolen

easily and although they have anti-tamper mechanisms, access to the device is still

possible to modify usage information. The poor physical tamper resistance

mechanism allows an attacker to easily reverse engineer and uncover the many

exploitable security vulnerabilities. The attacker does not need to invest much money,

does not need a background in power systems and have just enough curiosity to carry

through with the exploit.

 If such an attack as that simulated in the IOActive laboratory did take place, the

Department of Energy reported it would take approximately 131 days to patch,

recover and implement a solution to the vulnerabilities. This staggering report form a

lab from the Department of Energy implies a large window of opportunity for

exploitation, especially when approximately 250 exploits for control systems exist on

any given day for the years 2006-2007.

   Although many argue that an attack is doubtful, a determined attacker cannot be

under-estimated, especially when considering the consequences of a successful

exploit. It is likely to occur notably for an attacker that may be curious. Terrorism is

another likely reason that an attack can occur. It is an attractive target that has a

relatively easy threat to exploit and could cause the utilities to lose system control of

their metering infrastructure to unauthorized third parties. Additionally, if the

vulnerabilities in the Smart Grid are left unchecked, it could result in the utilities

exposed to fraud, extortion attempts, lawsuits, widespread system interruption, and

massive blackouts.

4.0 Secure the Network, ICS, or Smart Grid

  Not everyone accepts change but when change is required and readily apparent,

utilities companies must be held accountable to tight security practices. A new

measure aims to protect the new networks that have been introduced into controlling

electric power distribution grids throughout North America. Organizations

responsible for keeping electricity flowing throughout the United States and Canada

began to take the first step in May 2003 to implement cyber-security on the Byzantine

computer networks that control electric power distribution. Up until this time there

was no real security strategy. It has been known that several partitions of the power

grid have been vulnerable to hack attack since at least 1997. Basic security flaws in

the computerized systems that control generators, switching stations and electrical

substations. The findings were surprising. Operational networks controlling critical

portions of the grid were accessible through electric utility companies' corporate

LANs, digital circuit breakers could be remotely tripped by anyone with the right

phone number, and passwords for remote vendor access went unchanged for years.

  The White House's National Security Telecommunications Advisory Committee

reported that physical attacks against utilities pose a greater threat than cyber attacks.

After September 11, and the Federal Energy Regulatory Committee (FERC) began

talking about imposing security requirements on power companies to close holes in

critical infrastructures. It is interesting to note there are still no known cases of

hackers causing service outages. The power companies prefer to regulate themselves

but the North American Electrical Reliability Council (NERC) has proposed

mandatory security standards for the electric industry. NERC security rules have

implemented basic security development lifecycle processes such as companies

would have to sponsor cyber security training programs, write security policies,

identify their critical cyber assets, etc. Of the utmost concern is to avoid a

catastrophe, like the catastrophic 1965 blackout that knocked-out power to 30 million

people in the northeastern United States.

  How can the security of the Smart Grid be guaranteed so we do not experience the

problems inherent in new designs and implementations, such as those encountered in

the Internet? How can distribution engineers and designers mitigate the inherent

security vulnerabilities to realize the benefits of “smart” power distribution? How

can the stipulations for utilities to have a plan for due diligence in cyber security be

regulated and managed? The government stimulus money given to utilities puts them

in a powerful position. Utilities can apply pressure to meter vendors to produce more

secure devices and can drive competition in the smart meter market. Tests on the

security, quality, and reliability of the products from various vendors can ensure that

meter vendors continually improve their security protocols, devices and physical anti-

tamper mechanisms.

 A formal Secure Development Lifecycle (SDL) advocated by the Smart Grid AMI

vendors to guide and govern the release of products will be better equipped to

withstand malicious attacks. Security and privacy measures are taken into account

during each stage of development. The SDL will require that a final review occur

before the software is released. By layering the defenses and applying basic security

practices, such as authentication and encryption, the devices would be much more

difficult to exploit sensitive functions like running software updates and severing

customers from the power grid. Implementing encryption requires that the keys are

protected and strong enough so that an attacker cannot easily take the meter apart,

locate and decipher the key.

 The Smart Meters must authenticate early and often to ensure that any proliferation

of a worm is stopped or at the very least made very difficult for the worm to grow.

Authentication best practices need to be enforced just as it is in networking and

Internet systems. By employing the best practices for authentication, the threat from

exploiting no authentication can be minimized.

 Researchers have also shown that attacks to the radio interface vulnerability of no

authentication is a dangerous vulnerability that if exploited can produce a worm [17]

that spreads to other meters at an alarming rate. This type of worm can have a

devastating result on the grid and disrupt service to customers. In addition, some

researchers have been able to cause problems with the use of radio jamming. And

again, another solution must be implemented for this problem, perhaps frequency

hopping in the radio transceivers.

  There is still time to repair the Smart Grid infrastructure. The government, utility

companies and vendors, security and privacy experts, need to assume their roles as

the expert in Smart Grid security and protect the Smart Grid energy ecosystem. The

SDL protocol also will help these Security entities to correct the design flaws in the

smart meter devices. Taking these preliminary steps to secure the Smart Grid the right

way the first time provides the benefit that is realized in lower overall project costs.

Without these security strategies built in to the system with the SDL, research

statistics show costs are 60 times higher when gaps in information security controls

are addressed late in the development phase.

  Vendors can now be held responsible for the security in the products they produce.

The benefits of the Smart Grid and AMI technologies are bountiful and utilities can

begin to focus on the safety and privacy protocols of this critical infrastructure.

  When all the planning is done and a clear and concise plan of action has been

approved, it is time for action. Strict adherence to the regulations, management and

implementation must be followed. Upgrading the Smart Grid in the United States is

far behind other countries. How does the United States compare to other countries in

terns of implementation? See Figure 4.1.

  Note: This map shows the extent of smart meter deployments by electric utilities

companies. The deployments are completed, underway, or planned with a completion

date on or before 2015. Smart meters are defined as advanced meters that allow for

two-way communication and real-time analysis of electricity consumption. Figure 8.1

does not include automatic meter reading (AMR) installations. Information was

compiled using the latest public data available as of May 20, 2009.

    Figure 4.1 Smart Meter Implementation Percentages by Country

 4.1 Nessus Scanning

 As shown in section 3.1, information on numerous common vulnerabilities has been

presented. These are the well known common problems but some may not be so

obvious to newly trained ICS/Internet personnel. The problems introduced into the

AMI/AMR systems from Internet and networking vulnerabilities pose a daunting task

of identifying and securing the infrastructure. Many problems are readily apparent

and there are those that are not so easily identified. It would be impossible to

manually identify and mitigate the issues. Nessus has provided a tool to assist in

identifying problems in AMI/AMR technology. Nessus is an active scanner featuring

high speed discovery, configuration auditing, asset profiling, sensitive data discovery

and vulnerability analysis. It is a popular vulnerability scanner that offers many

features to help assess the security of control system networks, devices, servers and

workstations. Basic vulnerability scanning has crashed many control system devices

and applications but new features and techniques make it possible to scan control

system networks with minimal impact to critical systems such as SCADA. This

“safe” feature makes Nessus an ideal candidate for use with SCADA systems.

                            Figure 4.2 The Nessus Logo

 Nessus is part of the following Digital Bond Racks:

      Control System Security Assessment Rack

      Application Security Assessment Rack

      Web Application Security Assessment Rack

4.1.1 Bandolier

 Digital Bond is currently involved in a research project known as Bandolier [21]. It

documents the optimal security configurations for control system application

components. Programs are written from these configurations into audit files that can

be used in security tools such as Nessus. Policy compliance checks allow asset

owners to verification that the system is in the optimal security configuration for both

operating systems and application security settings. To verify a secure installation and

periodically check configuration over time to determine if the security posture has

degraded, Bandolier audit files are used at initial deployment to determine baseline

configuration and compliance with NIST standards. Bandolier is funded by the

Department of Energy (DOE) and is Objective 1 of a larger effort known as the Cyber

Security Audit and Attack Detection Toolkit.

4.1.2 Compliance Checks

  Using guidance from NIST and other industry organizations, Tenable Network

Security has developed best practice compliance checks for many operating systems

and common Internet applications such as databases and web servers. The Bandolier

project is developing files specifically for control system applications that reside on a

variety of Windows, Linux, and Unix platforms. The Bandolier audit files can be used

with Nessus compliance plug-ins to perform security scans and to compare a

deployed control system component to the best practice security settings and then

identify any variances. The Nessus compliance plug-ins are available to Nessus

ProfessionalFeed customers at a cost of $1200 a year with access to new plug-ins,

customer support, and access to the SCADA plug-ins that Digital Bond [7] developed

for Tenable. Compliance plug-ins provides the Nessus Vulnerability Scanner with the

ability to audit a system against a secure configuration as described in the policy

compliance file. Bandolier created files can be used with the Nessus Vulnerability

Scanner to audit security configurations of the twenty-plus control systems

applications that are part of the project. Although Nessus is the de-facto standard for

vulnerability scanning, there are other tools available that can perform similar

functions. Digital Bond will also make the compliance checks available in the

XCCDF and OVAL formats used by NIST's Security Content Automation Protocol

(SCAP). To provide maximum benefit and reusability for the community, all SCAP

validated scanners will be able to use the Bandolier audit files.

4.1.3 Compliance Checks versus Vulnerability Scans

  An important difference exists between compliance checks and traditional

vulnerability scanning in Nessus. Each has its own distinct purpose and value; i.e.,

vulnerability scanning relies on signatures of “known bad things”. The scanning tests

typically send packets to the device under scan that have caused many control system

applications to crash or operate improperly. On the other hand, compliance checks

compare a system against the “known good”, hardened configuration. This process is

facilitated by creating an authenticated administrator connection to the system and

inspecting its configuration.

   Different methods are used to determine what services are running on a

workstation or server. Vulnerability scans send a packet to each TCP and UDP port

to evaluate the response to determine if the port was open. Unfortunately, simple port

scanning has caused numerous poorly written control system applications to fail. On

the other hand, compliance checks connect to the workstations or servers as an

authenticated administrator to get a list of the services running and return this

information via the administrative connection. It should be noted that an application

that would crash on a port scan would not crash when the same information was

collected by a compliance check.

  Compliance checks can read and evaluate files which makes the number and types

of checks available almost limitless to provide the capability of checking many built-

in settings at the operating system level. The following examples do not represent the

full array of checks that are available but are meant to only highlight the capability of

the checks. Note that the examples start with basic service evaluation to very specific

application configuration inspection.

4.1.4 Examples: Service Auditing

  The Service Audit example shows how the policy for a particular Windows service

has been audited. This case shows the results of a scan in a compliance file for

validation of the SCADA Control Service is set to "Automatic". The case may exist

to specify that a service should be "Disabled" or "Manual".

  <custom item>


  description: "Verify that the SCADA Control service is set to automatic"

  value_type: SERVICE_SET

  value_data: "Automatic"

  service_name: "SCADAControlService"


  Example 1: Service Audit for a Linux system



 description: "The crond service is required for proper operation of the

 SCADA application. This check verifies that it is enabled"

 service: "crond"

 levels: "2345"

 status: ON

 Example 2: Application Audit for a Linux system

 An important part of any security audit is a simple check for minimum password

length of at least eight characters on a Windows system.


 name: "Minimum password length"

 value: [8..MAX]


The Linux equivalent is similar to the windows script.


 name: "minimum_password_length"

 description : "Minimum password length"

 value : "14..MAX"


 Example 3: Password Policy Audit for Windows and Linux



 description: "Determine if permissions are set correctly for the RealTime

Server (bobjAcknowledge)"

 value_type: POLICY_TEXT

 value_data: "c:\program files\ControlSystemApp\config\Realtime.cfg"

 regex: "bobjAcknowledge.*"

 expect: "bobjAcknowledge, Permission Control_SCADA"


 Example 4: File Content Auditing

4.1.5 Bandolier Schedule and Deliverables

 Digital Bond [21] is committed to the following deliverables with hopes to

accelerate the schedule and increase the deliverables. The Bandolier Audit Files list is

maintained on the SCADApedia.

        The first audit templates were issued in July 2008.

        Ten audit templates were complete October 2008.

        Twenty audit templates were complete September 2009.

        There are currently 40 audit templates delivered to Tenable Nessus as of

         April 2010.

All deliverables will be made available as Digital Bond Subscriber Content on Digital

Bond's website. Each audit template will be provided in the Policy Compliance File

format for Nessus and eventually the audit templates will be available in XCCDF /

OVAL format for import into other scanners. Additionally, documentation pages will

be available on the control system application audit tests with links to the applicable

documentation page included in the audit results.

4.1.6 Development Approach

Step 1: Select the control system applications for project participation.

The development of a methodology to enhance the Nessus Scanning solution is

flexible that enhanced scans can target conventional network systems and ICS control

servers and computers. In this context, control system refers to any server or

workstation whether it is connected to ICS or conventional LANs or WANs. The

focus is to develop a systematic methodology that can be used in currently

implemented systems and future implementations. The following are factors that

make a control system application more applicable for a systematic enhanced

scanning methodology to detect and discover vulnerabilities:

      Select a control system application running on a relatively current operating

       system. Exclude systems running Windows 98 or NT.

      Select a control system application or component that can be secured.

       Applications that cannot be patched or configured in a highly vulnerable

       manner will be of little use. The audit can and will only verify it is an insecure


      Select a control system application that is widely deployed. Human Machine

       Interfaces (HMI) or operator consoles are ideal candidates because this will

       allow a quick and consistent audit of many HMI workstations. Similarly, if the

       same Distributed Control System (DCS) is being used at many power plants

       the systems than that DCS would be an ideal choice.

      Select a critical control system application. A critical control server is a good

       candidate for a compliance policy file even if there is only a primary and

       backup server. The compliance policy file will identify any changes to the

       secure configuration.

      Similar control system application components with different configurations

       can have their own compliancy policy. Permissions on different systems could

       be quite different even though an HMI might run the exact same software as

       an engineering workstation.

      Inspect logs, research security bulletins, investigate network anomalies for

       potential problems that may possible cause disruptions or outages. This step is

       needed to assess the proper operation of the target system. Several different

       processes are performed.

Step 2: Develop secure, hardened configurations for each control system

       application component

This step is extremely important. The goal is to create a standard configuration for

each control system application component for each of the components, e.g. HMI,

Historian, Realtime Server, and OPC Server. Deployed control system application

components will be measured against the standard, Scan with existing plug-ins and

patch any discovered vulnerability. The ideal scenario is for the system administrator,

SCADA administrator or DCS vendor to assist in this step. Digital Bond's research

team, system administrators, the vendor and asset owner users would work together to

define the “gold” standard for Bandolier. Consensus guidelines have been used as a

starting point for operating system and common Internet applications, such as web

servers, database applications, and security configuration settings. Modifications are

made as needed for the control system application to function properly, and then the

control system application specific ideal security settings are defined.

Step 3: Perform a baseline scan

After the “gold” standard is defined, perform a baseline scan. Any vulnerability

discovered or non-compliance should be corrected and the scan run again till all

problems are resolved with the direct fee plug-ins supplied by Nessus. After all

problems have been resolved, the scan should be assigned as the original “gold”


Step 4: Develop Plug-ins for Newly Discovered Issues and Checks for


Not all Bandolier audit templates are developed to measure the same level of security.

A particular HMI‟s gold standard may be much more secure than another HMI‟s gold

standard because the vendor may have leveraged operating system security features

and build security features into one and not the other. Bandolier templates attempt to

identify the best possible security setting for each individual control system

application component.

  As of May 1, 2010, Tenable Nessus 35.414 plug-ins performs a high level of

comprehensive checks. Nessus is not a tool that can “cover all the bases” but is a tool

designed to “cover” a large portion of problems that are nearly impossible to discover

manually. With this in mind, there are problems that may be unique to the

organization and a need for customized plug-in to enhance the scanning tool to

discover vulnerabilities and check for compliance.

 Customized plug-ins created to enhance the scanning capability to address any issue

is a critical step that must be done correctly. The plug-ins can be written to output a

specific message for vulnerability discovery or indicate compliance. Any

vulnerability or compliance check file must be written to comply with the Nessus

general guidelines. See step 4.1 for Nessus plug-in guidelines.

Step 4.1 Methodology to Create Nessus plug-in

 Nessus plug-ins are created according to the guidelines in the Nessus Attack

Scripting Language (NASL) [6]. The guidelines are used for the scanner to make use

of full functionality and to ensure the enhanced plug-in behaves properly, especially

on critical computers connected to critical systems. There are three guidelines to


   •      execute only if necessary

   •      use other script results by use of dependencies

   •      share by saving to KB, upload report results and plug-ins

 By following this methodology, the Nessus community reaps many benefits.

Discussion forums, support, knowledge base, documentation and users all benefit

from the collaboration.

Step 5: Test New Plug-ins Before Releasing to Production Environment

Skip this step if no new enhanced plug-ins have been developed. Otherwise, the

system administrator will gather information on the system and will create the

vulnerability and compliance policy files on the secured and hardened configuration.

Each test task on each system should be thoroughly tested. Ideally, the plug-ins

should be tested in a similar lab environment or test equipment. A prototype with

virtual machines can be used as a test bed to determine plug-ins are behaving and not

causing problems to the environment. Badly written plug-ins can cause serious


Step 6: Perform “Post-Gold” Scan

Perform another scan to discover any vulnerabilities and checks for compliance. This

scan should indicate full compliance with the “gold” standard previously defined in

step 2. Any failures indicated in the scan report will need to be resolved and repeat

and begin step 3 and scan till all issues are resolved. At this point in time, the target

system “gold” scan and “post-gold scan can be compared in the Nessus scanner by

selecting the option within the Report GUI interface. The “post-gold” scan should be

run at prescribed intervals to discover if any unauthorized changes have occurred

since the last :gold: baseline scan. The „gold” standard documentation and processes

may need modification at this step if new plug-ins are written or other standards have

been updated with new configuration. Repeat the development approach for other

target systems that are participating in the project.

4.1.7 Extending Bandolier with Nessus Credentialed Scanning

The Bandolier security audit files provide a view of the internal security

configuration. Some desirable audit results are not available directly from the audit

files or compliance checks. Nessus Credentialed Scanning options are a safe, reliable

method to assess control system servers and workstations. Plug-ins are available to

audit missing patches at both the operating system and application levels, including

some often-overlooked client applications. Enhanced plug-ins are created to target

specific vulnerabilities or compliance checks,

Other authenticated scanning options include the "netstat" port scanner that is a safe

way to enumerate open ports without a traditional port scan that has been known to

crash some control system applications. This is an extremely important fact since the

control system of a Smart Grid cannot crash under any circumstance, especially an

administrator invoked scanning task Unix systems use the command netstat -an to

return the results. Windows systems use WMI to return the same information. Nessus Credentialed Scanning

Nessus offers additional information when credentials are provided to authenticate to

the remote host. The credential checks are useful when used in conjunction with a full

vulnerability scan and is a safer scanning option to use with fragile control system

hosts. Technology

The Nessus scan policy provides user credentials input to connect to a remote server

or workstation. Nessus is allowed to authenticate to a remote host to use the built-in

operating system functionality to run tests that have been defined by the user in the

scan policy. Selected configuration screenshots are included below.

                                                                          102 Windows

 The Nessus scanner uses Server Message Block (SMB) for Windows hosts that

require the ability to communicate with the remote host on TCP port 445. The defined

user account in the scan policy requires administrator privileges. Unix

The Nessus scanner relies on Secure Shell (SSH) TCP port 22 for Unix and Linux

hosts. Root access is facilitated through either the root account or an account capable

of using su or sudo. See Figure 4.1 for the configuration screen for Windows or Unix


                   Figure 4.1. Configuration Screen for Credentials

4.1.8 Policy Compliance Plug-ins

 The Policy Compliance plug-ins are also referred to as compliance checks. These

are the mechanisms implemented by which audit files work. They facilitate the means

to audit a variety of settings from baseline operating system security policy to

customized application configuration checks such as those found in the Bandolier

security audit files. Tenable offers operating system audit files for nearly all major

operating             systems.               See              Figure              4.2.

                        Figure 4.2 Policy Compliance Plug-ins

4.1.9 Patch Auditing

 Nessus credential checks can be used to identify missing security patches. Local

security plug-ins check for missing operating system and application patches that are

commonly overlooked during the security assessment phase. This task is one of the

most critical tasks that are required for securing operating systems and applications.

See Figure 4.3 for an example screenshot.

     Figure 4.3. Example plug-in Selection of Operating System and Application

                                   Security Scans

4.1.10 Netstat Port Scanner

 Nessus also has the ability to use the authenticated connection to do a "netstat" port

scan. This is a safe way to enumerate open ports without a traditional port scan that

has been known to crash some control system applications. As the name implies, on

Unix systems the command netstat -an is invoked to return the results. For Windows,

WMI is used to return the same information. See Figure 4.4.

                              4.4 Customize Policy Edit

4.1.11 Reporting

 Using a combination of the Nessus credential scanning features can produce a

useful NERC CIP compliance report that often gives more insight into the security

posture of the machine or system. Combining the Bandolier security audit files,

netstat port scanner, and patch auditing can produce a report for inspection by the

asset owners. Here is the report of the custom iepeers.dll 0-day vulnerability [12] [13]

plug-in run against a Windows XP un-patched computer. See Figure 4.5.

          Figure 4.5. Report Example of the iepeers_dll_0day.nasl plug-in

4.1.12 Nessus Scanner Use

Nessus users have a wide range of powerful options whose functionality is critical to

a successful vulnerability scan. Scans can be configured and tailored for specific

needs in each unique environment. As with any function in the Technology industry,

there is the balancing act that must be observed. For instance, “Thorough Tests” can

be selected in the Global Settings menu. This will cause the scanner to behave

differently when executing but can also have a risk of adversely affecting fragile

hosts or services. This will cause the scanner to behave differently with over 900 of

the more than 34,000 plug-ins available with Nessus. The idea is to use the

“Thorough Tests” option only if needed. A system administrator would not select

this option if all he wanted to perform is port enumeration. Or the system

administrator could select “Thorough Tests” and “Enable CGI scanning” options for

scanning specific web applications. These configuration examples show that the

options are features in the scanner that add to its flexibility and robustness. Nessus User Configuration Tab

The Nessus configuration tab is used to add users and assign permissions. The users

are then restricted to the permissions of their account.

                             Figure 4.6 Nessus User Tab Nessus Policy Configuration Tab

The Nessus policy configuration tab is used to customize the policy for a scan.

Policies can be configured in a variety of configurations. Plug-ns can be added or

removed, credentials can be supplied, preferences defined and the policy can be

named and described. The entire configuration for a policy customization is done in

this tab.

                             Figure 4.7 Nessus Policy Tab Nessus Scan Tab

The Nessus Scan Tab is used to select the policy for the scan. The scan is named and

the target or targets are specified. The “Launch Scan” button is then highlighted.

                              Figure 4.8 Nessus Scan Tab Nessus Report Tab

The Nessus Report Tab is used to select the report for the scan. The report is selected

and the download button is used to fetch the report from the server. The format is

selected form the dropdown menu. The HTML format is a convenient format for

quickly displaying the results.

                           Figure 4.9 Nessus Report Tab

4.1.13 Nessus Performance

Tenable Nessus performed benchmark tests [23] on Windows. The tests were done

under a single-CPU Windows XP SP3 VM with 786Mb of RAM running on an Intel

Xeon CPU running at 2.66GHz. The tested scanners are Nessus and Nessus

4.0.0. Each scan was done with 4 plug-ins and 50 hosts in parallel. The Windows

scanners scanned a class C containing a mixture of Linux and Windows targets hosts.

Credentialed scanning was performed with Windows and SSH credentials provided to

the scanner, safe checks are enabled, and CGI scanning was disabled. The plug-in set

used was 200904102034. See Figure XX for a comparison of Nessus versions 3 and 4

Windows scan times.

                           Figure 4.10 Windows Scan Time

Tenable Nessus performed benchmarks tests on a Unix [23] based machine with a

Dual Xeon system. The hardware configuration on the Unix machine was:

    2.8GHz processor

    2Gb of ram

    Linux Red Hat Enterprise Linux ES 5 (Linux 2.6.18-92.1.18.el5PAE)

The tested scanner versions are Nessus 4.0.0, 3.0.6 and Nessus 2.2.10. Each scan was

  performed with 4 plug-ins in parallel to scan 50 hosts in parallel (4 x 50). The test

network is comprised of two local class C networks containing a total of 33 live hosts.

 The hosts are a mixture of Windows, Solaris, Linux and Mac OS X hosts. Windows

and SSH credentials have been provided to the scanner, safe checks are enabled, and

CGI scanning was disabled. The plug-in set used was 200904101434. See Figure 4.11

for a comparison of Nessus versions 2, 3 and 4 Unix scan times.

                 Figure 4.11 Unix Scan Time

                 Figure 4.12 Memory Usage
                                Figure 4.13 System Load

4.1.14 Customize Policies

Several factors that make the Nessus Scanner an ideal tool for system administrators

is the ability to customize plug-ins for very specific needs. This fine granularity

enables each plug-in to be used a building block to address the multitude of

vulnerabilities that can be exploited in SCADA systems. Since the integration of the

Internet into ICS, it is difficult to discover all the vulnerabilities that have surfaced in

the system. Nessus includes a list of over 34,000 plug-ins used for discovering

vulnerabilities. However, the case may exist where no plug-in has been written for a

particular case.

At fist glance, it appears like a comprehensive list of plug-ins is available for Nessus

scanning. Research shows that there has not been a plug-in written to address CVE-

2010-0806 “Peer Objects” component involving access to an invalid pointer upon the

deletion of an object. Otherwise known as an “Uninitialized Memory Corruption

Vulnerability”, exploits have surfaced in the wild in March 2010 [12] [13]. The

following NASL code [6] was written to address this vulnerability.


 # iepeers.dll 0-day vulnerability script

 # (free-after-use

 # aka Uninitialized Memory Corruption Vulnerability )

 # CVE Reference: CVE-2010-0806

 # Written by Raymond Cordova

 #   Test    Script     to   detect    0-day     vulnerability       in   Internet




 if (description)



 script_version("$Revision: 1.0 $");

     script_name(english:"iepeers.dll                  0-day     vulnerability

     in Internet Explorer versions 6 or 7");

     script_summary(english:"Checks                    Internet           Explorer

     version for 0-day free-after-use vulnerability.");

 script_set_attribute(attribute:"synopsis", value:

 "A older version of Internet Explorer (6 or 7) is

 installed on the remote host.");

script_set_attribute(attribute:"description", value:

 "A version of Internet Explorer (6 or 7)        is installed


 the remote host.       Data Execution Protection (DEP)is

 enabled by default in IE 8.0           which helps mitigate

 attacks against it.

 Microsoft recommends that users upgrade to version 8

 for better security. Note that there are unconfirmed

 reports     from   Secunia   program   and   computer     online

 scanners report that version 8 is also vulnerable to

 the iepeers.dll vulnerability using ActiveX.");

 script_set_attribute(attribute:"see_also",              value:"






    value:"Upgrade to Internet Explorer 8." );

    script_set_attribute(attribute:"risk_factor",     value:







    script_copyright(english:"This script is a test script

    written by Raymond Cordova.");



    script_require_ports(139, 445);





port = kb_smb_transport();

version = get_kb_item("SMB/IE/Version");

v = split(version, sep:".", keep:FALSE);

if ( int(v[0]) > 5 && int(v[0]) < 8 )


if (report_verbosity > 0)


  report = '\n' +

               "Internet Explorer version " + version + " is

               installed on the remote host. The iepeers.dll

               is vulnerable to exploits. This vulnerability

               exploits        the     “free-after-use            invalid       object

               pointer after object deletion" + '\n';

  security_warning(port:port, extra:report);


  else security_warning(port);



  else exit(0, "Internet Explorer version " + version + "

is    installed        on    the     remote      host.     The    iepeers.dll         is

vulnerable to exploits.");

Script 4.1 XP “iepeers.dll” 0-day Vulnerability Script

This code will scan, detect, report and suggest a solution to the vulnerability, if found.

The methodology used includes the use of previously written code by the use of a

dependency statement in the code. e.g., script_dependencies(). Also, local Knowledge

Base items stored on the local server are accessed for use with script_require_keys()

statement. Utilizing these functions allows for enhancing the performance and overall

effectiveness of the scan.

  # Windows Compliance Check for XP computers

 # Checks for disabled USB Storage Devices

 # Version 2 Windows Compliance Plugin

 # Written By Raymond Cordova

 <check_type: "Windows" version: "2">

 <group_policy: "Audits Windows 2003 Systems for disabled

 USB Storage devices.">



description: "USB Storage Devices        Are disabled"

 value_type: POLICY_DWORD

 value_data: 4

 reg_key: "HKLM\SYSTEM\CurrentControlSet\


 reg_item: "start"

 reg_type: REG_DWORD




Script 4.2 XP USB Storage Devices Disabled Compliance Check Audit


# Windows Compliance Check for XP computers

# Checks for disabled CDROM autorun

# Version 2 Windows Compliance Plugin

# Written By Raymond Cordova

<check_type: "Windows" version: "2">

<group_policy:   "Audits   Windows   Systems   for   CD   AutoRun




 description: "CD AutoRun Disabled"

 value_type: POLICY_DWORD

 value_data: 0



 reg_item: "AutoRun"

 reg_type: REG_DWORD




Script 4.3 XP CDROM Auto-play Disabled Compliance Check Audit





       description:"Check if PermitRootLogin is set to no

       and not commented for the server."


       regex:"^ *[^#]*PermitRootLogin *"

       expect:"PermitRootLogin no"



Script 4.4 Fedora 12 SSH Remote Root Login Disabled Compliance

              Check Audit Script

Following the Nessus best practices presented in the NASL Reference Guide [6], the

code was written to address only one vulnerability in each plug-in. In this way, the

plug-in can be used with future or existing plug-ins as a building block that becomes

a building block of a complex collection of plug-ins.

4.2 Notable Projects in the United States

 As the United States plays catch-up to the rest of the International community, there

are many projects underway that have gained attention. Some projects are kept

confidential; however, there are some that have become the topic of discussion in

many forums interested in the upgrade of the Smart Grid. Some notable projects are

noted as follows:

      In California and Texas, utilities are spending around $6 billion to install

       meters that can tell

      them how much electricity they are using at any given time, what time-of-

    day real-time pricing is

      in effect, and how much they are paying for it. Utilities can receive real-time

    outages alerts and site-specific information useful for diagnostics.

   Smart metering is a big enough trend to have substantial spin-off benefits for

    related businesses. Gartner estimates that 150 million meters may be installed

    in the next five years, generating $2 billion in orders from semiconductor

    makers. Texas Instruments believes the chip demand could go as high as $7.5


   All of the four major mobile telephone providers in the United States and

    several    overseas   are   highly     involved   in   developing      inexpensive

    communications systems with smart meters. Google has devised a free Web-

    based service, Google PowerMeter, to help consumers track and analyze their

    energy use. Additionally, Siemens is among the companies working on a

    special XML communications standard suitable for meters under the aegis of

    the World Wide Web Consortium.

   Baltimore Gas and Electric Co. is experimenting with customers equipped

    with smart meters. They will be rewarded for reducing peak-load usage at a

    rate of $1.50 per kilowatt-hour cut.

   One of Denmark‟s five largest electricity distributors, EnergiMidt, and a

    customer-owned cooperative is installing Smart Meters in all of its 170,000

    residential users. A partner of Echelon Corp. in San Jose, Calif., Finland‟s

       Eltel Networks, has the contract to provide IP-based meter data management


      Florida utility FPL is installing 1 million smart meters in Miami and may

       eventually install as many as 4.5 million throughout the state. The upgrade

       program will include trials of home dashboards, smart thermostats and

       appliances, and energy-saving software. GE is supplying meters and

       appliances and networking technology comes from Silver Spring Networks

       and Cisco.

      Pacific Gas and Electric (PG&E) has a budget of $2.2 billion to install more

       than 5 million smart electric meters in California by 2012. Another smaller

       group received programmable thermostats, showing impressive reductions in

       peak electricity demand.

      Pepco Holdings plans to install advanced smart metering solutions for all of

       its customers in the District of Columbia, Delaware, Maryland, and New

       Jersey by 2013.

      The Texas–New Mexico Power Co. (TNMP) is installing 10,000 meters with

       technical assistance from SmartSynch and T-Mobile. Residence and utility

       communications will be handled by AT&T Mobility.

4.3 Selected Vendor Smart Meters

 Several vendors have recently released enhanced versions of their smart meter

products. These vendors have been developing Smart Meters in compliance with the

Security Development Lifecycle and several guidelines adopted by the regulatory and

management agencies involved with the process of safely securing the Power Grid.

4.3.1 Itron OpenWay®

 Itron has recently released its OpenWay® Collection Engine with Enhanced

Security Features [15]. Itron released the new Smart Meter February 11, 2009 and is

leading the industry with enhanced Smart Meter security. Two key characteristics of

OpenWay® by Itron make this possible: the economies of scale of the OpenWay

radio-frequency based local area network communications module (RFLAN), and the

American National Standards Institute (ANSI) C12.22 open standard protocol [2].

The release and initial shipments of an enhanced security Smart Meters enables

strong authentication and enhanced security for use in Advanced Metering

Infrastructure (AMI) deployments. The current version of OpenWay software is fully

compliant with security and encryption to meet industry and American National

Standards Institute (ANSI) C12.22 standards. The optional enhanced security version

exceeds these requirements by providing security consistent with the North American

Electric Reliability Corporation (NERC) Critical Cyber Asset requirements. Based on

elliptic curve cryptography (ECC), Itron is shipping Certicom's AMI 7000® series

meters with communication encryption and key management appliances in OpenWay

to secure end-to-end network messages. The AMI infrastructure receives and passes

information from the OpenWay Collection Engine down to the OpenWay

CENTRON® meter. The OpenWay security architecture, combined with enhanced

signing and encryption capabilities, is designed to meet the two-way command and

control requirements for AMI and Smart Grid network platforms. Itron boasts that

their solution provides strong integrity of control, non-repudiation, availability and

confidentiality. Also, Itron states that they now offer unparalleled network and

metering system security with the release of their optional enhanced security version,

enhancing the energy management and measurement technologies as efforts progress

toward the development of the Smart Grid. Interestingly, the meter provides strong

authentication to support enhanced security, a critical option required for secure

communication. See Figure 4.3.1.

                      Figure 4.3.1 Itron OpenWay® Solution

4.3.2 Texas Instruments Smart Meters with Secure Pre-Payment

 Smart electricity, water and gas meters are undergoing extensive development

upgrades to ensure security. Additionally, a new revolution has surfaced for payment.

A contactless radio frequency (RF) chip Transponder IC, the Secure Multi-Purpose

Contactless IC/Module RF-HCT-WRC5-KP22 [5], has been incorporated into the

smart meter with a new capability for a consumer payment card or token. This idea is

transforming smart meters into secure [15] AMI/AMR and pre-payment devices. The

meters are built on high-speed, low-power, secure smart IC platform with industry-

standard secure encryption. Several desirable features are included with the meters

listed as follows.

        Triple DES, SHA-1 crypto-algorithms,      ANSI X9.63 session key

        Mutual authentication – authorized tag                  and reader complete


        Flexible and configurable memory

        Supports up to five applications on one card or token

        ISO/IEC 14443 with ISO/IEC 7816 command set support

  Radio Frequency enabled pre-paid smart meters give utilities access to a broader

customer base. RF enabled meters with Pre-Payment reduces           the risk of non-

payment and offers consumers a new, fast and convenient way to control and pay for

services. Reduction in billing administration costs can be realized with this

revolutionary new idea. Two models of the reader are available, the TRF7960 and

TRF7961 TI-RFid™ HF Reader IC. Both offer the following features.

     High level of integration and performance

     Low-power and small size

     Configurable and flexible architecture

     Eases hardware and software system design

     Low total Bill of Materials (BOM)

     ISO/IEC 14443, ISO/IEC 15693 and Tag-it

Several advantages of Contactless RF Pre-Payment can be realized for consumers.

Consumers can now control utility usage and not have utilities turned off

unexpectedly. It is expected that consumers will embrace the convenience of “24/7

wave and pay as you go”. Major credit card companies and banks worldwide are

deploying secure contactless technology. It is a fast and convenient “tap-and-go”

credit, debit and stored-value payment application at the retail point of sale. The

technology securely stores and transmits data over short ranges, typically less than 2

inches. Consumers need only purchase contactless cards from a kiosk or the utility

company. The cards contain a secure contactless RF chip loaded with a pre-paid

amount. The consumer waves the card in front of the meter to activate it and the

amount is loaded into the smart meter and debited from the card. Texas Instruments

offers a complete contactless RF pre-payment solution for Smart Meters, including

tag and reader integrated circuits and microcontrollers. It is an easy and efficient

solution to RF-enable the latest generation of smart utility meters. Texas Instruments Smart Meters

  The Texas Instruments (TI) product line of MSP430 microcontrollers and Low-

Power RF devices provide a solution for low-power wireless networks, including

standard-based IEEE 802.15.4 low-cost, low-speed communication devices, ZigBee

or other proprietary networks. The MSP430 product line offers ultra-low power

consumption, power-saving mechanisms, a high-performance 16-bit CPU and

integrated analog. The MSP430 micros-controllers and TI‟s Low-Power RF devices

provide designers the ability to achieve low power consumption, long range and

reliable performance are provided at a competitive price. The CC430 family of sub 1

GHz    system-on-chip    monolithic    devices    integrates   with   the   MSP4305xx

microcontroller with a flexible Low-Power RF transceiver.-Based Netwok System-on-Chip Solutions

 Industry‟s highest performance, single-chip, low-power RF solution is the CC430.

The CC430 is based on the new 5xx generation of ultra-low-power MSP430

microcontrollers. Designed with a high level of peripheral integration, outstanding

analog performance and ease of use, the 5xx core is paired with the flexible CC1101

sub-1GHz transceiver to deliver the sensitivity and blocking performance required for

a robust communication link in RF environments. The CC430 devices enable the user

to minimize RF power, size, and cost requirements while still maintaining superior

application performance. There is also the 8051-based System-on-Chip solution. TI

recommends the CC2430/2431 for IEEE 802.15.4 and ZigBee networks use; the

CC2510/2511 is recommended for 2.4 GHz; and the CC1110/1111 for sub-1 GHz

use. The MSP2530 development kit provides a flexible platform to encompass the

majority of controllers, protocols and devices. Standard-Based Networks

 The IEEE 802.15.4 wireless radio frequency standard for low-power and short-

range applications is ideal for point-to-point or point-to-multipoint networks. The

802.15.4-based proprietary network can be upgraded to evolve to a ZigBee-compliant


 The ZigBee is a low-power wireless network standard that offers mesh networking

and interoperability between different products. ZigBee is a network layer on top of

the IEEE 802.15.4 standard physical and mac layers. Smart metering and home

automation services in Advanced Metering Infrastructure (AMI) profiles and the

Home Automation (HA) profiles are ideal targets for Zigbee. Proprietary Networks

 Texas Instruments (TI) accommodates free software code for building a network.

The SimpliciTI Network Protocol is implemented with a battery operated TI Low-

Power RF System-on-Chip or the MSP430 and an RF transceiver. The SimpliciTI

network    protocol    is    a    simple    and    versatile   solution,    combining

MSP430+CC1101/2500, CC1110/2510 and DSSS parts to provide solutions for

applications such as alarm systems, smoke detectors and active RF-ID applications. Development Platforms

 Texas Instruments (TI) offers several development kits that are available by

donation awards or purchase. Partial kits are available for evaluation via free

download but still require purchase of licenses, software, etc. for full functionality.

Texas Instruments offers the “Sample and Buy” program where developers can order

samples and test as needed. In this way, developers can evaluate the product. The cost

of the development kit can cost from less than a thousand dollars to several thousand

dollars. The TI CC2530ZDK development kit is a good starter candidate for lab use.

The MSP2530 micro-controller is currently used in the TI advertised compliant Smart



     Name        CC2530 ZigBee Development Kit

     Status      ACTIVE

     Price       $649.00


                                        Order Options

                  Order Online

              Figure 4.3.2 CC2530 ZDK Development Kit Cost

A CC2530ZDK includes:

    TI's ZigBee stack, Z-Stack (

    2 SmartRF05EB Evaluation Boards

    5 SmartRF05 Battery Boards

    7 CC2530EM Evaluation Modules

      USB Dongle Antennas and batteries IAR EW8051 C-compiler with C-SPY

  debugger (30+30 day evaluation license.)

4.3.3 MBUS3 Firmware

   On September 28, 2009 in Oslo, Norway, a new firmware feature set was

introduced as MBUS3 [9] to comply with the Open Metering System (OMS)

specification for advanced metering applications. It has been launched by the compact

RF module provider Radiocrafts AS. The new firmware runs on the Wireless M-Bus

module (RC1180-MBUS) for use in AMI/AMR applications. It is the first completely

embedded module solution compliant with the new OMS specification available in

the market in addition to the well established NTA 8130 compliant feature set

(MBUS2).The OMS primary communication interface is based on the Wireless M-

Bus standard (EN 13757-4:2005). It specifies the communication between a multi-

utility communications (MUC) controller or gateway and electricity, gas, water and

heat meters. The specification is becoming widely accepted in Europe. The new

MBUS3 module can be configured for use as a master (in the MUC), a slave (in the

meter or an actuator), or as a repeater. Several desired features are capable in the

MBU3 set.

      supports S1, S2, T1 and T2 modes

      handles encryption (AES-128) all time critical communication between the

       MUC and the meter

      power saving features gives battery lifetimes in excess of 14 years

      master module can support up to 64 slaves, all with unique encryption keys

      unique auto-message generation feature

      message mailboxes supporting individual communication with several slaves

       in parallel

      repeater functionality makes up a complete and autonomous repeater that will

       store and retransmit slave messages in order to increase the coverage area of

       one master (MUC)

 The new RC1180-MBUS3 [9] is a surface-mounted high performance transceiver

module measuring only 12.7 x 25.4 x 3.3 mm, and can easily be integrated into any

meter. Serial communication is facilitated by a UART interface that is used for

configuration. An antenna connects directly to the RF pin. When used with quarter-

wave antennas a line-of-sight range of 800 m can be achieved. The new module

supports two-way communication and is capable of valve control and data

acknowledgement. The RC1180-MBUS module has been certified for operation

under the European radio regulations for license-free use in the rapidly growing smart

metering market. This solution provides a complete Wireless M-Bus solution

compliant with the OMS specification in a small compact module form factor that is

easy to integrate into meters and gateways. The Wireless M-Bus stack makes it easy

to add a fully compliant OMS solution to space limited and battery operated meters. It

significantly reduces time-to-market, development, and compliance testing cost.

5.0. Difficulties and Lessons Learned

 As plans unfolded for research in ICS and Internet integration emerging technology

and security of the systems, several unforeseen issues began to surface. The first

realization of difficulty focused on the problems with procuring a prototype that could

simulate a SCADA infrastructure. When asked about test access to a SCADA test

bed, a quote from an email from Renaud Deraison of Nessus simply states, “That's

the biggest problem with SCADA”, indicating no test scans can be tested on the

SCADA system unless special permission is granted through contract agreement.

Ultimately, no access to any test bed or system could be established because of the

stringent security of the ICS.

  Several vendors were hesitant to provide any information about their product for

fear of divulging trade secrets and discovering unknown vulnerabilities. This proved

difficult to implement because of vendors at Byram Labs could provide a few meters

of different models but the collection points were of a $900 online monitoring service

that cost in 6 month time periods. The cost would have been approximately $3000 for

meters and 6 months of monitoring service that would have to be renewed for

continued research efforts. Other vendors provided meters available only for

authorized buyers. And others would allow purchase of a smart meter but provided no

support for interface support, code enhancement, development or hardware.

  Several development kits could simulate a “Smart Meter” but cost, interface

hardware, software, and ambiguity of what is specifically needed made the decision

difficult. Research showed the TI CC2530ZDK MSP2530 ZigBee and ZigBee Pro

development kit to be a good candidate for conducting meaningful research. The kit

costs $649 and has a “Sample before Buy” program that allows for users to order

different hardware samples for testing in the kit. This kit allows for testing of several

different low-power RF processors and protocol stacks currently used in TI‟s solution

for Smart Meters. Also considered was the CC430 that integrates the latest

MSP430F5xx to develop an entire wireless project. However, more functionality and

flexibility is integrated in the MSP2530 development kit with the more secure Smart

Meters using this hardware.

  Another candidate development kit is the CC2430 System-on-Chip solution for 2.4

GHz IEEE 802.15.4 / ZigBee. The ZStack library version 2.2.2-1.30 used in the

CC2430 and CC2530 microcontrollers uses an insufficient random Psuedo-Random-

Number-Generator (PRNG) for cryptographic signatures and session keys. PRNG

data repeat every 32,767 samples, and there are at most 16 bits of entropy in any key.

Searching the entire key space is possible without investing a lot of time. The random

numbers must not be used to generate random keys used for security purposes. The

flaw is that the PRNG is not cryptographically secure and is that it is seeded from a

random source that has very little entropy. The weakness ought to serve as a

cautionary tale for the untold number of companies working on parts with stimulus

monies that will make up the emerging smart grid. So it became a time consuming

research task to determine if the Zigbee stack shipped with the development kits

CC430 and CC2530 shipped with the latest version 2.3.0 which relies on the fact that

the Zigbee stack in these kits is not flawed.

  The Nessus demo version was selected for the functionality, flexibility,

customizable, powerful, automated, safe scanning tool that it is advertised as. Nessus

boasts it is a centralized invaluable tool for ICS/Internet administrators to simplify the

daunting task of securing the ICS/Internet infrastructure. The decision was made to

test the tool with credentialed scanning and customize plug-ins for enhancing the tool

to add meaningful value. The focus was to identify a methodology to be used as a

foundation to be used in future work to meet the requirements of the various

enterprise organizations. The Nessus HomeFeed version was downloaded and it was

soon discovered that the tool functionality is limited to basic scanning. It became

evident the HomeFeed version would not meet the requirements to fulfill research,

methodology and enhancement goals.

  Renaud Deraison at Nessus was contacted through email with a request for the

ProFeed version. Project information was provided and Renaud provided a fully

functional version of Nessus ProFeed. The ProFeed version provided additional


       Report comparison

       Resolved inconsistencies in the creation of custom plug-ins

       Re-index DB inconsistencies

       Display issues with plug-ins

  The Nessus ProFeed exhibited odd behavior with custom plug-ins.

       Re-index DB inconsistencies unless the DB is purged and rebuilt

       Display issues with plug-ins

       Re-named plug-in is run twice

       Re-named plug-in is displayed twice

  The solution to rebuild and re-index the database was attempted to resolve the

problems encountered with custom plug-ins. The command “:>"c:\Program

Files\Tenable\Nessus\nessusd.exe" -R 3 was entered in a command prompt. The “–R”

and the number “3” switch options rebuild the database with a complete flush, rebuild

and re-index. The procedure to logout of the client, stop the Nessus server and

execute the command failed. The command prompt immediately returned and the

server would not restart. The installation was repaired through the Control Panel

Programs applet and the server restarted successfully. However, the duplicate plug-

ins were still listed and the scan report indicated two instances of the same plug-in

although the plug-ins were named differently. The underlying cause was the plug-in

ID number was identical in that the ID number was not changed during the renaming

procedure. This effectively caused a collision of the plug-ins in the database and the

cached plug-in mechanism. Two mistakes were made. Renaming a plug-in requires

the ID to be changed immediately before the server is restarted or plug-ins are

updated through server manager. The re-index command failed because the server

manager window was still open even though the server was stopped. Close the server

manager window prior to rebuilding the DB.

      Figure 5.1 Successful Nessus Database Rebuild and Re-index

Nessus has been approved by North American Reliability Corp. (NERC) Critical

Infrastructure Protection (CIP) as a tool for scanning SCADA. This tool is further

enhanced by the Digital Bond Bandolier project [7]. Plug-ins are custom written to

scan SCADA and network systems and require subscription services for full

functionality and updates. There are 40 new plug-ins specifically written for SCADA

have been delivered to Nessus by Digital Bond. The plug-ins are pre-compiled

Nessus binary (.nbin file extension) files that could not be analyzed unless they are

reverse engineered with an application similar to IDA Pro. This made it difficult to

analyze and research their scripts that were written for compliance checks specifically

written for SCADA. Deeper research showed revealed many of the “nbin” files are

run as compliance checks for vendor specific applications.

 The Nessus Attack Scripting Language (NASL) [6] is a new language to learn

before any scripting or customizing can be done. The reference manual was studied

and test scripts were written to tune skills for the methodology to write custom

scripts. The NASL interpreter proved to be very unforgiving. A space in the script

would render the script un-executable and could only be discovered by brute force

trial and error until running the mis-behaved script resulted in script errors in the

report. Of particular concern are the Windows Compliance check ID 51126 and Unix

Compliance Check ID 51127 scripts. During the creation of an enhanced script for

detecting SSH remote root login, the report indicated a conflict in version 1 and 2 of

the compliance scripts. The windows script worked but the Unix Compliance Check

ID 51127 would report “check_type” not set in the created custom script. Research of

Nessus documentation and discussion boards indicated that “v2” be appended to the

filename and the opening <“check_type : “Unix” version: “2”> and closing

</check_item> tags are required for the version 2 plugin. The Nessus database is re-

indexed with a nessus –t command to accept changes to any plug-ins. The nessus –D

is used to re-build the database. The Nessus service is restarted and errors persisted.

The script was re-written from scratch with a backward compatible version 1 format

and received a parse error indicating “ “ in line 3. The space was removed and the

script successfully completed. A version 2 script was re-created and fails with the

same indications. The limited resources of discussion boards, limited support,

documentation all indicate the <check_type> tags should be included in version 2 but

clearly do not work for Unix compliance checks. Issues appear to be an unforgiving

syntax error in which a “space” before or after the script statements cause an error at

run time and the version 2 syntax not recognized correctly in Unix Compliance Check

ID 51127. Renaud Deraison of Nessus has confirmed that the version 2 syntax is not

functional in the Unix compliance checks and only works with Windows.

 The VMware server console was selected as the Virtual Machine solution for

simulation of a computer systems connected to SCADA systems. The VM server

software would not install on the un-supported laptop hardware and had to use VM

Workstation or Player trial versions. Four machines were configured as W2K3

unpatched, XP unpatched, Ubuntu 10 beta and Fedora 12 with telnet enabled. The

virtual machines were then scanned and the XP un-patched machine was scanned

successfully with administrator credentials. The W2K3 machine could not be scanned

with credentials since no domain was defined. The Ubuntu 10 machine scanned with

no critical vulnerabilities found since no plug-ins have not been written for the Beta

version of Ubuntu 10. Fedora 12 was configured with telnet services and SSH remote

root login enabled. Scans produced a report indicating both risk configurations on

Fedora 12. Difficulties surfaced with the virtual machines. The XP un-patched

machine became corrupt and had to be re-installed. It should be noted no scans were

run on the XP machine prior to the corruption a d had been powered down evers since

it was created. The Fedora 12 and W2k3 machines lost network connectivity when

testing at UCCS. The Windows 7 laptop performed very well with all 4 virtual

machines active. However, attempting to run a Nessus scan on the virtual machines

while connected to the UCCS wireless campus resulted in no scan run on any virtual

machine. Connections on the home wireless LAN successfully completed scans. The

“bridged” network adapter needs to be configured as “host only” for successful

network connectivity between the host machine and the virtual machines. The scans

were successfully completed at home and UCCS and re-testing proved successful.

6.0. Conclusion

 As the utility power grid catches up to technology, several inherent problems

surface that are apparently not as visible as most would think. The essential feature of

every smart electricity distribution system is the smart meter though it may not look

like much and does not at first glance appear like one of the most critical components.

The problems arise from the cyber net infrastructure that introduces common

vulnerabilities that have evolved from the Internet communication system and

computer/network operating systems. While the power grid was using wired meters

and control systems were isolated from the wireless and cyber systems, most of the

problems being addressed today did not exist. Ever since the introduction of the

Internet and wireless technology to the Smart Grid, security has become a critical

concern for distribution and power engineers. The Committee of Homeland Security

and several other regulatory agencies have heard recommendations [19] [22] from

security consultants that have researched the problems and the devised solutions for

the security vulnerabilities in wireless and cyber infrastructures.

Research performed by security consultants have proved that the available smart

meters are insufficient in security mechanisms to protect the smart grid from what are

common Internet and Operating System vulnerabilities. The existing smart meters

that have been deployed will need to “reworked” to meet the requirements for a

secure smart meter with up to 60 times the original cost of implementation.

  The United States is one of the countries in the process of upgrading the power grid

infrastructure. Many other countries have completed the upgrade of the Smart Grid.

The identified vulnerabilities are of a critical concern to the Smart Grid distribution

and electrical engineers and controllers. As with all new rollouts, there are always

unidentified vulnerabilities that need attention. Many of the utilities that have

subscribed to the stimulus plan sponsored by President Obama have taken advantage

of the benefit of billions of dollars. As a result, Smart Meters have been installed but

the majority of meters are riddled with vulnerabilities. In the effort to upgrade the

Smart Grid, the vulnerabilities in the Smart Meters have basically been ignored, even

though the stimulus benefit stipulates security measures should be enforced. Towered

Gateway Base-Stations (TGBs) have ultimately lowered operational and maintenance

costs while providing:

      Operational improvements

      Supply side savings

      New revenue opportunities

      Customer Service Improvements

 These ideas are of the few that have taken advantage of emerging solutions that take

advantage of existing infrastructures, Service Providers, municipal Wifi‟s, and have

used mature solutions that have proven reliability that offer solutions that

significantly reduce cost of implementation. Towered Gateway Base-Stations have a

place in ICS but not all ideas and solutions have a place in AMR/AMI, but those

solutions that have been implemented have been proven successful and beneficial to

provide improvements over the “old way of doing business”.

 Consideration of QoS must be investigated on emerging technology since normal

home activities may affect some solutions (such as mowing the lawn, tuning up a dirt

bike, etc.). Design must be simple so as not to introduce complex problems that are

insurmountable when events can impede operation. As with any Information

Technology system, it must be administrational, to the level that it may be broken into

manageable parts, to identify failures that can be diagnosed and repaired with the

least amount of disruption to the system, a critical and required functionality that

cannot be overlooked. This is evident in the efforts put forth by all entities involved,

whether they are the vendors introducing new products, vendors testing new ideas as

with the case of FemtoCells, or discussions on the table that receive extreme

criticism, as shown to provide a conscience effort to provide the required.

 It is interesting to note how the Information Technology age is continually evolving

to provide solutions as the demand dictates. Critical points in time where Information

Technology is emerging and evolving is at its peak and the need for security has

never been so critical. Standards and common sense demand secure systems to

protect assets, resources, and humanity, only to mention our most critical

infrastructures that requires immediate and dedicated attention to adherence of

standards set forth by the authoritative entities. This can only result in the beginning

of a new trend in security for a secure and reliable Information Technology that

demands a secure and essential attention to the ICS infrastructure. It is interesting to

note that emerging technology for ICS has finally reached a point of maturity that

security has dictated the need for confidentiality, integrity and availability in a scope

that no compromise can be tolerated.

The need for regulation and management has never been greater. This is a worldwide

undertaking and needs strict adherence to the Secure Development Lifecycle (SDL).

Vendors need to ensure their Smart Metering products are secure. The process

involves removing the memcpy() and strcpy() instructions in most of the meters.

Also, authentication and encryption must be implemented in the Smart Meters and

controllers. These are only a few of the numerous vulnerabilities that have been

identified. All vulnerabilities will need to be resolved since many are well known

common issues that have evolved from the Internet. Additionally, all new products

need thorough testing before implementation and those existing meters in the field

will need to be reworked or replaced to ensure that no Smart Meter can provide a

vulnerability to potentially cripple a region of the Smart Grid, or in a worst case

scenario, propagate a worm [17] that can grow an alarming rate to cripple a all or a

majority of the Smart Grid.

It is important to realize that change is difficult to create and the acceptance of change

for the most part is always resisted. With no real centralized command and control,

policy makers are experiencing an extremely hard task to facilitate the change. Of the

utmost concern is that correct policies for change must be agreed on quickly and any

debate must be completed quickly. Any regulatory inconsistencies or uncertainty

must be resolved if the Smart Grid is to come together as a cohesive unit with all the

required security strategies in place. Impeding change is all the red tape of a

democratic society that is riddled with politics chaired by politicians with different

mentalities and ideas.

Planning together is the only way that the separate regions can gain the

interoperability and scale up the infrastructure to secure the Smart Grid. The electric

power grids face unprecedented challenges in the future. Not only do meters for the

electric power grid need to be secure, but meters for the water and gas industry must

also be included. They are a leaf node that is connected to the AMI infrastructure and

must therefore need diligent protection. The same idea holds true for all renewable

energy sources such as the wind farms that will be connected to the power grid.

Planning together holds true for the Nessus scanning tool. With several regulatory

entities such as NERC CIP, Digital Bond and the Bandolier Project, Tenable‟s Nessus

scanner and Security Center solutions, have shown us the cooperation between

several agencies all focused on a single goal; Secure the Smart Grid. Using the

Nessus scanner, results can be obtained using credentialed scanning for

comprehensive reports. A systematic methodology can be followed as a foundation to

create new custom plug-ins to tailor the scans for specific ICS/IP environments. The

methodology involves writing a plug-in for only one vulnerability, using the built in

functions to determine if the scan should be run, call other plug-ins as dependencies

to use those results in the current scan, and share the custom plug-in with the Nessus

community. The Nessus Attack Scripting Language (NASL) very elegantly

accommodates coding of the test script. Note that NASL is not PERL, C, or PHP type

of a language. NASL is an attack language for writing scripts and that is the only

purpose of the language. Corroborating efforts contribute to the daunting task;

“Secure the Smart Grid” by “Enhancing Network Scanning for Discovering

Vulnerabilities” in existing and emerging technology.

7.0    References

[1] Agilent FemtoCell solution for simulation modeling.

[2 ] ANSI C12.22: A Smart Grid Standard, Itron Smart Meters.

[3] Chow, Edward Dr., Graphic use granted by permission of Dr. Edward Chow

       at UCCS website

[4] Common Vulnerabilities and Exposures (CVE)

[5] Contactless Radio Frequency Technology Transforming Smart Meters with

       Secure Pre-Payment,

[6] Deraison, Renaud, Reference Manual for Nessus Attack Scripting Language,

       Version 1.4.0, Manual at website at

[7] Digital Bond research project.


[8] Definition and list of vulnerabilities.

[9] First OMS compliant Wireless M-Bus RF module for smart meters launched

[10] GE Offers WiMax Smart Meter Solution.


[11] Guide to Industrial Control Systems (ICS) Security, Supervisory Control

       and Data Acquisition (SCADA) systems, Distributed Control Systems

       (DCS), and other control system configurations such as Programmable

       Logic Controllers (PLC)


[12] Information on 0-day vulnerability discovered in the wild March 2010.

[13] Information on 0-day vulnerability discovered in the wild March 2010.

[14] Database of threat family or risk factor listed by vulnerabilities in that


[15] Itron Releases OpenWay® Collection Engine with Enhanced Security

       Features, February 2009



[16] IxCatapult DCT200 test device.


[17] Journal of Energy Security, Making a Secure Smart Grid a Reality, Sub-

      paragraph, Weaknesses in the Smart Grid, p. 3-7, October 2009. com_content&view=article&id=



[18] SCADA and Control Systems Cyber Security.

[19] Stouffer,Keith and Falco, Joe and Scarfone, Karen Final Public Draft,

      Special Publication 800-82, Recommendations of the National Institute of

      Standards and Technology, Guide to Industrial Control Systems (ICS)



[20] Smart Metering Scope graphic.


[21] Related work for network scanning. Digital Bond Bandolier project,

      Website at

[22] Weiss, Joseph, “Current Status of Cyber Security of Control Systems”,

      Testimony of Joseph M. Weiss Control Systems Cyber Security Expert

       before the Committee on Commerce, Science, and Transportation U.S.

       Senate March 19, 2009.

[23] Windows and Unix published performance characteristics of Nessus version


Appendix A ENSDV

Nessus Quick Reference Installation and Upgrade
Nessus Installation Guide

This guide provides commands as a general guideline to install and upgrade Nessus

on supported OS platforms. Detailed information, manuals, documentation,

knowledgebase and support is available at website.

A.1    Nessus Background

Nessus is a powerful, up-to-date and easy to use network security scanner endorsed

by professional information security organizations such as the SANS Institute. Nessus

provides the ability to perform remote and local audits on a specific target machines

for vulnerabilities, compliance specifications, content policy violations and more. A

given network can be scanned remotely or locally to determine if it has been broken

into or misused in some way. Nessus provides:

 •    Intelligent Scanning – attempt to validate vulnerability through exploitation

      when possible

 •    Modular Architecture – The client/server architecture provides flexibility

•   CVE Compatible –links to CVE for administrators to retrieve further

    information, references to Bugtraq (BID), OSVDB and vendor security alerts

•   Plugin Architecture – easily add your own tests, select specific plugins or

    choose an entire family.         Nessus nessusd plugins are      available at

•   NASL – The Nessus scanner includes NASL (Nessus Attack Scripting

    Language). Security checks can also be written in the C programming language.

•   Up-to-date Security Vulnerability Database – focus on development of security

    checks for newly disclosed vulnerabilities is updated daily.

•   Tests Multiple Hosts Simultaneously – ability to test a large number of hosts

    concurrently. Smart Service Recognition – Nessus will recognize a FTP server

    running on a non-standard port (e.g., 31337) or a web server running on port

    8080 instead of 80.

•   Tests Multiple Hosts Simultaneously – ability to test a large number of hosts

    concurrently. Smart Service Recognition – Nessus will recognize a FTP server

    running on a non-standard port (e.g., 31337) or a web server running on port

    8080 instead of 80.

•   Multiple Services – Nessus will identify and test all web servers running on a

    host (e.g., one on port 80 and another on port 8080), of them.

•   Plugin Cooperation – unnecessary checks are not performed

•   Complete Reports – report what security vulnerabilities exist on your network,

    the risk level and how to mitigate by offering solutions.

•   Full SSL Support –ability to test services offered over SSL

 •   Smart Plugins (optional) –determines which plugins should or should not be

     launched against the remote host. This option is called “optimization”.

 •   Non-Destructive (optional) –enable the “safe checks” option of Nessus, which

     will make Nessus rely on banners rather than exploiting real flaws to determine

     if a vulnerability is present.

 •   Open Forum –

A.2 OS Support

 Nessus is available and supported for a variety of operating systems and platforms:

        Red Hat ES 4 (i386), and ES 5 (i386 and x86-64)

        Fedora Core 10 (i386 and x86-64) [Compatible with Fedora 9]

        Fedora Core 11 (i586 and x86-64)

        Fedora Core 12 (i586 and x86-64)

        Debian 5 (i386 and x86-64)

        FreeBSD 7 (i386 and x86-64)

        Ubuntu 8.04 (i386 and x86-64)

        Ubuntu 8.10 (i386 and x86-64)

        Ubuntu 9.10 (i386 and x86-64)

        Mac OS X 10.4 / 10.5 (i386, x86-64, ppc)

        Windows XP, Server 2003, Server 2008, Vista and Windows 7

         (i386 and x86-64)

        SuSE 9.3 (i386)

        SuSE 10.0 (i386 and x86-64)

        Solaris 10

A.3 Prerequisites

        Minimum of 1 GB RAM

        2-4GB RAM for larger scans of multiple networks

        Pentium 3 processor running at 2 GHz or higher

        Mac OS X dual-core Intel® processor running at 2 GHz or higher

        Nessus can be run under a VMware instance, enumeration and operating

         system identification will be negatively affected if Network Address

         Translation (NAT) is used

        Nessus Unix requires several libraries that typically do not require separate

         installation. It should be noted the following are required:

             o OpenSSL (e.g., openssl, libssl, libcrypto)

             o zlib

             o GNU C Library (i.e., libc)

        Nessus Windows performance can be affected by changes to Microsoft

         Windows XP SP-2 and should be installed on a server product from the

         Windows Server 2003 family or higher for increased performance and scan


A.4 Installation

It may take several minutes the first time Nessus updates and processes the plugins,

The web client connection will not be available until plugin processing ha completed.

Download the latest version of Nessus from All

commands must be performed with system root privileged user. The following

sections provide installation instructions for the Nessus server on all supported

platforms. Special installation instructions are noted following the example. Platform

Installation Instructions follow:

 A.4.1 Red Hat ES 4 (32 bit), ES 5 (32 and 64 bit)

      A.4.1.1 Install Command

               Use one of the appropriate commands below that corresponds to the

               version of Red Hat:

               # rpm -ivh Nessus-4.x.x-es4.i386.rpm

               # rpm -ivh Nessus-4.x.x-es5.i386.rpm

               # rpm -ivh Nessus-4.x.x-es5.x86_64.rpm

       A.4.1.2 Sample Output

               # rpm -ivh Nessus-4.2.0-es4.i386.rpm


               ########################################### [100%]


               ########################################### [100%]

               nessusd (Nessus) 4.2.0. for Linux

               -Please run /opt/nessus//sbin/nessus-adduser to add a user

               -Register your Nessus scanner at

      to obtain all the newest plugins

               - You can start nessusd by typing

               /sbin/service nessusd start


A.4.2 Fedora Core 10 (32 and 64 bit), 11 (32 and 64 bit) and 12 (32

     and 64 bit)

    A.4.2.1 Install Command

          Use one of the appropriate commands below that corresponds to the

          version of Fedora Core:

          # rpm -ivh Nessus-4.x.x-fc10.i386.rpm

          # rpm -ivh Nessus-4.x.x-fc10.x86_64.rpm

          # rpm -ivh Nessus-4.x.x-fc11.i386.rpm

          # rpm -ivh Nessus-4.x.x-fc11.x86_64.rpm

          # rpm -ivh Nessus-4.x.x-fc12.i386.rpm

          # rpm -ivh Nessus-4.x.x-fc12.x86_64.rpm

    A.4.2.2 Sample Output

          # rpm -ivh Nessus-4.2.0-fc10.i386.rpm







          nessusd (Nessus) 4.2.0. for Linux

          -Please run /opt/nessus//sbin/nessus-adduser to add a user

          -Register your Nessus scanner at

 to obtain all the newest plugins

            You can start nessusd by typing

            /sbin/service nessusd start


A.4.3 SuSE 9.3, 10

  A.4.3.1 Install Command

            Use one of the appropriate commands below that corresponds to the

            version of SuSE:

            # rpm -ivh Nessus-4.x.x-suse9.3.i586.rpm

            # rpm -ivh Nessus-4.x.x-suse10.0.i586.rpm

    A.4.3.2 Sample Output

            # rpm -ivh Nessus-4.2.0-suse10.0.i586.rpm

            Preparing... ################################## [100%]

            1:Nessus ##################################


            Nessusd {Nessus} 4.2.0. for Linux

            -Please run /opt/nessus//sbin/nessus-adduser to add a user

            - Register your Nessus scanner at

   to obtainall the newest plugins

            - You can start nessusd by typing

            /etc/rc.d/nessusd start


 A.4.4 Debian 5 (32 and 64 bit)

    A.4.4.1 Install Command

      Use one of the appropriate commands below that corresponds to the

      version of Debian:

      # dpkg -i Nessus-4.x.x -debian5_i386.deb

      # dpkg -i Nessus-4.x.x -debian5_amd64.deb

A.4.4.2 Sample Output

      # dpkg -i Nessus-4.2.0-debian5_i386.deb

      Selecting previously deselected package nessus.

      (Reading database ... 36954 files and directories

      currently installed.)

      Unpacking nessus (from Nessus-4.2.0-debian5_i386.deb) ...

      Setting up nessus (4.2.0) ...

      nessusd (Nessus) 4.2.0. for Linux

      - Please run /opt/nessus/sbin/nessus-adduser to add a


      - Register your Nessus scanner at to obtain all the newest plugins

      - You can start nessusd by typing

      /etc/init.d/nessusd start


      Note: Nessus comes with an empty plugin set by default. The Nessus

      daemon cannot be started until Nessus has been registered and a

      plugin download has occurred. If you attempt to start Nessus without

      plugins, the following output is returned:

         # /etc/init.d/nessusd start

         Starting Nessus : .

         # Missing plugins. Attempting a plugin update...

         Your installation is missing plugins. Please register and

         try again.

         To register, please visit

A.4.5 Ubuntu 8.04, 8.10 and 9.10 (32 and 64 bit)

   A.4.5.1 Install Command

         Use one of the appropriate commands below that corresponds to the

         version of Ubuntu:

         # dpkg -i Nessus-4.x.x-ubuntu804_i386.deb

         # dpkg -i Nessus-4.x.x-ubuntu804_amd64.deb

         # dpkg -i Nessus-4.x.x-ubuntu810_i386.deb

         # dpkg -i Nessus-4.x.x-ubuntu810_amd64.deb

         # dpkg -i Nessus-4.x.x-ubuntu910_i386.deb

         # dpkg -i Nessus-4.x.x-ubuntu910_amd64.deb

   A.4.5.2 Sample Output

         # dpkg -i Nessus-4.2.0-ubuntu804_amd64.deb

         Selecting previously deselected package nessus.

         (Reading database ... 32444 files and directories

         currently installed.)

         Unpacking nessus (from Nessus-4.2.0-ubuntu804_amd64.deb)


         Setting up nessus (4.2.0) ...

         - Please run


         to add a user

         - Register your Nessus scanner at
 to obtain

         all the newest plugins

         - You can start nessusd by typing

         /etc/init.d/nessusd start


A.4.6 Solaris 10

   A.4.6.1Install Command

         # gunzip Nessus-4.x.x-solaris-sparc.pkg.gz

         # pkgadd -d ./Nessus-4.x.x-solaris-sparc.pkg

         The following packages are available:

         1 TNBLnessus The Nessus Network Vulnerability


         (sparc) 4.2.1

         Select package(s) you wish to process (or 'all' to process

         all packages). (default: all) [?,??,q]:1

   A.4.6.2 Sample Output

         # gunzip Nessus-4.2.1-solaris-sparc.pkg.gz

         # pkgadd -d ./Nessus-4.2.1-solaris-sparc.pkg

The following packages are available:

1 TNBLnessus The Nessus Network Vulnerability


(sparc) 4.2.1

Select package(s) you wish to process (or 'all' to process

all packages). (default: all) [?,??,q]:1

Processing package instance <TNBLnessus> from


The Nessus Network Vulnerability Scanner(sparc) 4.2.1

## Processing package information.

## Processing system information.

## Verifying disk space requirements.

## Checking for conflicts with packages already installed.

## Checking for setuid/setgid programs.

This package contains scripts which will be executed with

super-user permission during the process of installing this package.

Do you want to continue with the installation of

<TNBLnessus> [y,n,?]

Installing The Nessus Network Vulnerability Scanner as


## Installing part 1 of 1.

(output redacted)

## Executing postinstall script.

        - Please run


        to add a user

        - Register your Nessus scanner at

        to obtain all the newest plugins

        - You can start nessusd by typing

        /etc/init.d/nessusd start

        Installation of <TNBLnessus> was successful.

        # /etc/init.d/nessusd start


        Note: Ensure the latest Solaris Recommended Patch Cluster from Sun

        is installed to eliminate any library compatibility errors.

A.4.7 FreeBSD 7 (32 and 64 bit)

  A.4.7.1 Install Command

        Use one of the appropriate commands below that corresponds to the

        version of FreeBSD:

        # pkg_add Nessus-4.2.0-fbsd7.tbz

        # pkg_add Nessus-4.2.0-fbsd7.amd64.tbz

  A.4.7.2 Sample Output

        # pkg_add Nessus-4.2.0-fbsd7.tbz

        nessusd (Nessus) 4.2.0 for FreeBSD

        Processing the Nessus plugins...


        All plugins loaded

        - Please run


        to add an admin user

        - Register your Nessus scanner at to obtain

        all the newest plugins

        - You can start nessusd by typing

        /usr/local/etc/rc.d/ start


        Note:    Nessus      recommends        customization   of   the     provided

        configuration file for your environment as described in Appendix B.

A.4.8 Windows

  A.4.8.1 Download Nessus

        Nessus 4.2 is available for Windows XP, Server 2003, Server 2008,

        Vista and Windows 7. The latest version of Nessus is available at Distribution file sizes and names

        vary slightly and are approximately 12 MB in size. Select the

        appropriate file and save to a temporary file location. Double click the

        file to begin the installation process.

        Figure 4.8.1 Windows Nessus Download Files

A.4.8.2 Installation

       Install Nessus using an administrative account. Any errors related to

       permissions, “Access Denied” or errors suggesting an action occurred

       due to lack of privileges indicate an account with a lack of

       administrative privileges. Use of the command line run cmd.exe utility

       with “Run as…” can resolve required privilege errors. The default

       settings can be used for most installations. See Figure 4.8.1 through

       4.8.6 for the Windows installation process.

Figure 4.8.2 Windows Nessus Welcome Screen

Figure 4.8.3 Windows Nessus License Agreement

Figure 4.8.4 Windows Nessus Destination Folder
Figure 4.8.5 Windows Nessus Setup Type

Figure 4.8.6 Windows Nessus Install Dialog

             Figure 4.8.7 Windows Nessus Completion Dialog

A.5 Upgrading Unix/Linux

 This section explains how to upgrade Nessus from a previous Nessus installation.

 The following table provides upgrade instructions for the Nessus server on all

 previously supported platforms. Previously created configuration settings and users

 will remain intact. Special upgrade instructions are provided in a note following the

 example. Platform upgrade instructions follow:

      A.5.1 Red Hat ES 4 (32 bit), ES 5 (32 and 64 bit)

          A.5.1.1 Upgrade Commands

                 # service nessusd stop

     Use the appropriate command below that corresponds to

     the version of Red Hat:

     # rpm -Uvh Nessus-4.x.x-es4.i386.rpm

     # rpm -Uvh Nessus-4.x.x-es5.i386.rpm

     # rpm -Uvh Nessus-4.x.x-es5.x86_64.rpm

     restart the nessusd service

     # service nessusd start

A.5.1.2 Sample Output

     # service nessusd stop

     Shutting down Nessus services: [ OK ]

     # rpm -Uvh Nessus-4.2.0-es4.i386.rpm


     ########################################### [100%]

     Shutting down Nessus services:


     ########################################### [100%]

     nessusd (Nessus) 4.2.0 for Linux

     Processing the Nessus plugins...


     All plugins loaded

     - Please run


     to add an admin user

           - Register your Nessus scanner at


           obtain all the newest plugins

           - You can start nessusd by typing

           /sbin/service nessusd start

           # service nessusd start

           Starting Nessus services: [ OK ]


A.5.2 Fedora Core 10 (32 and 64 bit), 11 (32 and 64 bit)

      and 12 (32 and 64 bit)

     A.5.2.1 Upgrade Commands

           # service nessusd stop

           Use the appropriate command below that corresponds to

           the version of Fedora Core:

           # rpm -Uvh Nessus-4.x.x-fc10.i386.rpm

           # rpm -Uvh Nessus-4.x.x-fc10.x86_64.rpm

           # rpm -Uvh Nessus-4.x.x-fc11.i386.rpm

           # rpm -Uvh Nessus-4.x.x-fc11.x86_64.rpm

           # rpm -Uvh Nessus-4.x.x-fc12.i386.rpm

           # rpm -Uvh Nessus-4.x.x-fc12.x86_64.rpm

           Restart the nessusd service with the following command when

           the upgrade is complete:

           # service nessusd start


A.5.2.2 Sample Output

     # service nessusd stop

     Shutting down Nessus services: [ OK ]

     # rpm -Uvh Nessus-4.2.0-fc10.i386.rpm


     ########################################### [100%]

     Shutting down Nessus services:


     ########################################### [100%]

     nessusd (Nessus) 4.2.0 for Linux

     Processing the Nessus plugins...


     All plugins loaded
     - Please run
     to add an admin user

     - Register your Nessus scanner at

     to obtain all the newest plugins

     - You can start nessusd by typing

     /sbin/service nessusd start

     # service nessusd start

          Starting Nessus services: [ OK ]


A.5.3SuSE 9.3, 10

     A.5.3.1 Upgrade Commands

          # service nessusd stop

          Use the appropriate commands below that corresponds to

          the version of SuSE:

          # rpm -Uvh Nessus-4.x.x-suse9.3.i586.rpm

          # rpm -Uvh Nessus-4.x.x-suse10.0.i586.rpm

          Restart the nessusd service with the following command the

          upgrade is complete:

          # service nessusd start

     A.5.3.2 Sample Output

           # service nessusd stop

           Shutting down Nessus services: [ OK ]

           # rpm -Uvh Nessus-4.2.0-suse10.0.i586.rpm


           ########################################### [100%]

           Shutting down Nessus services:


           ########################################### [100%]

           nessusd (Nessus) 4.2.0 for Linux

           Processing the Nessus plugins...


            All plugins loaded

            - Please run


            to add an admin user

            - Register your Nessus scanner at


            to obtain all the newest plugins

            - You can start nessusd by typing

            /sbin/service nessusd start

            # service nessusd start

            Starting Nessus services: [ OK ]


A.5.4 Debian 5 (32 and 64 bit)

     A.5.4.1 Upgrade Commands

            # /etc/init.d/nessusd stop

            Use the appropriate commands below that corresponds to

            the version of Debian:

            # dpkg -i Nessus-4.x.x-debian5_i386.deb

            # dpkg -i Nessus-4.x.x-debian5_amd64.deb

            # /etc/init.d/nessusd start

     A.5.4.2 Sample Output

            # /etc/init.d/nessusd stop

# dpkg -i Nessus-4.2.0-debian5_i386.deb

(Reading database ... 19831 files and directories

currently installed.)

Preparing to replace nessus 4.2.0 (using Nessus-4.2.0-

debian5_i386.deb) ...

Shutting down Nessus : .

Unpacking replacement nessus ...

Setting up nessus (4.2.0) ...

nessusd (Nessus) 4.2.0. for Linux

Processing the Nessus plugins...


All plugins loaded

- Please run


to add an admin user

- Register your Nessus scanner at to

obtain all the newest plugins

- You can start nessusd by typing

/etc/init.d/nessusd start

# /etc/init.d/nessusd start

Starting Nessus : .


A.5.5 Ubuntu 8.04, 8.10 and 9.10 (32 and 64 bit)

     A.5.5.1 Upgrade Commands

            # /etc/init.d/nessusd stop

            Use the appropriate commands below that corresponds to

            the version of Ubuntu:

            # dpkg -i Nessus-4.x.x-ubuntu804_i386.deb

            # dpkg -i Nessus-4.x.x-ubuntu804_amd64.deb

            # dpkg -i Nessus-4.x.x-ubuntu810_i386.deb

            # dpkg -i Nessus-4.x.x-ubuntu810_amd64.deb

            # dpkg -i Nessus-4.x.x-ubuntu910_i386.deb

            # dpkg -i Nessus-4.x.x-ubuntu910_amd64.deb

            # /etc/init.d/nessusd start

     A.5.5.2 Sample Output

            # /etc/init.d/nessusd stop

            # dpkg -i Nessus-4.2.0-ubuntu810_i386.deb

            (Reading database ... 19831 files and directories

            currently installed.)

            Preparing to replace nessus 4.2.0 (using Nessus-4.2.0-

            ubuntu810_i386.deb) ...

            Shutting down Nessus : .

            Unpacking replacement nessus ...

            Setting up nessus (4.2.0) ...

            nessusd (Nessus) 4.2.0. for Linux

            Processing the Nessus plugins...


            All plugins loaded

            - Please run


            to add an admin user

            - Register your Nessus scanner at


            obtain all the newest plugins

            - You can start nessusd by typing

            /etc/init.d/nessusd start

            # /etc/init.d/nessusd start

            Starting Nessus : .


A.5.6 Solaris 10

     A.5.6.1 Upgrade Commands

            # /etc/init.d/nessusd stop

            # pkginfo | grep nessus

            The following is example output for the previous command

            showing the Nessus package:

            application TNBLnessus The Nessus Network

            Vulnerability Scanner

      To remove the Nessus package on a Solaris system, run the

      following command:

      # pkgrm <package name>

      # gunzip Nessus-4.x.x-solaris-sparc.pkg.gz

      # pkgadd -d ./Nessus-4.2.0-solaris-sparc.pkg

      The following packages are available:

      1 TNBLnessus-4-2-0 TNBLnessus

      (sparc) 4.2.0

      Select package(s) you wish to process (or 'all' to


      all packages). (default: all) [?,??,q]: 1

      # /etc/init.d/nessusd start

A.5.6.2 Sample Output

      # /etc/init.d/nessusd stop

      # pkginfo | grep nessus

      application TNBLnessus The Nessus Network

      Vulnerability Scanner

      # pkgrm TNBLnessus

      (output redacted)

      ## Updating system information.

      Removal of <TNBLnessus> was successful.

      # gunzip Nessus-4.2.1-solaris-sparc.pkg.gz

      # pkgadd -d ./Nessus-4.2.1-solaris-sparc.pkg

The following packages are available:

1 TNBLnessus The Nessus Network Vulnerability


(sparc) 4.2.1

Select package(s) you wish to process (or 'all' to


all packages). (default: all) [?,??,q]: 1

Processing package instance <TNBLnessus> from



The Nessus Network Vulnerability Scanner

(sparc) 4.2.1

## Processing package information.

## Processing system information.

13 package pathnames are already properly installed.

## Verifying disk space requirements.

## Checking for conflicts with packages already


## Checking for setuid/setgid programs.

This package contains scripts which will be executed

with super-user

permission during the process of installing this


Do you want to continue with the installation of

<TNBLnessus> [y,n,?]

Installing The Nessus Network Vulnerability Scanner as


## Installing part 1 of 1.

(output redacted)

## Executing postinstall script.

- Please run


to add a user

- Register your Nessus scanner at to obtain

all the newest plugins

- You can start nessusd by typing

/etc/init.d/nessusd start

Installation of <TNBLnessus> was successful.

# /etc/init.d/nessusd start


Note: Uninstall the existing version and then install the newest

release to upgrade Nessus on Solaris. This process does not

remove configuration files or files that were not part of the original

installation. Ensure the latest Solaris Recommended Patch Cluster

from Sun encounter library to avoid compatibility errors.

A.5.7 FreeBSD 7 (32 and 64 bit)

     A.5.7.1 Upgrade Commands

            # killall nessusd # pkg_info

            This command lists all the packages installed and

            their descriptions. The following is example output for the

            previous command showing the Nessus package:

            Nessus-4.0.2 A powerful security scanner

            Remove the Nessus package using the following command:

            # pkg_delete <package name>

            Use one of the appropriate commands below that corresponds to

            the version of FreeBSD:

            # pkg_add Nessus-4.2.0-fbsd7.tbz

            # pkg_add Nessus-4.2.0-fbsd7.amd64.tbz

            # /usr/local/nessus/sbin/nessusd -D

     A.5.7.2 Sample Output

            # killall nessusd

            # pkg_delete Nessus-4.0.2

            # pkg_add Nessus-4.2.0-fbsd7.tbz

            nessusd (Nessus) 4.2.0. for FreeBSD

            Processing the Nessus plugins...


            All plugins loaded

           - Please run


           To add an admin user

           - Register your Nessus scanner at


           obtain all the newest plugins

           - You can start nessusd by typing

           /usr/local/etc/rc.d/ start

           # /usr/local/nessus/sbin/nessusd -D

           nessusd (Nessus) 4.2.0. for FreeBSD

           Processing the Nessus plugins...


           All plugins loaded


           Note: Uninstall the existing version and then install the newest

           release to upgrade Nessus on FreeBSD. This process does not

           remove configuration files or files that were not part of the original


A.5.8 Windows Upgrade

    A.5.8.1 Upgrade Nessus 4.0 to 4.0.x

           This upgrade process will ask if the user wants to delete everything

           in the Nessus directory. If you choose “Yes” for this option, an

           uninstall process will remove previously created users, existing

      scan policies, scan results and the scanner will become


A.5.8.2 Upgrade from Nessus 3.0 to 3.0.x

      Direct upgrades from Nessus 3.0.x to Nessus 4.x are not supported.

      An upgrade to version 3.2 can be used as an interim step to ensure

      that vital scan settings and policies are preserved.

      If scan settings do not need to be kept, uninstall Nessus 3.x first

      and then install a fresh copy of Nessus 4. Consult the Nessus 3.2

      Installation Guide for more information to upgrade to 3.2 as an

      interim                                                       step,


A.5.8.3 Upgrading from Nessus 3.2 and later

      Upgrades from Nessus 3.2 or later are supported. Download the

      Nessus 4 package and install it without uninstalling the existing

      version to preserve all previous vulnerability scan reports and

      policies and will not be deleted.

Appendix B

ENSDV Nessus Configuration
B.1 Nessus Major Directories

   B.1.1 Windows

         \Program Files\Tenable\Nessus

Windows Nessus Subdirectories

           \conf                                - Configuration files

           \data                                - Stylesheet templates

           \nessus\plugins                      - Nessus plugins

           \nessus\users\<username>\kbs         - User knowledgebase on disk

             \nessus\logs                       - Nessus log files

   B.1.2 Unix Distributions (Red Hat, SuSe, Debian, Ubuntu, Solaris)

         /opt/nessus

      Unix Nessus Subdirectories

           ./etc//nessus/                       - Configuration files

           ./var/nessus/users/<username>/kbs/   - User knowledgebase on disk

   B.1.3 FreeBSD

         /usr/local/nessus

      FreeBSD Subdirectory

         ./lib/nessus/plugins/                  - Nessus plugins

   B.1.4 Mac OS X

         /Library/Nessus/run

      Mac OS X Subdirectory

         /var/nessus/logs/                     -Nessus log files

B.2 Nessus Server Manager

      B.2.1 Use the Nessus Server Manager to start, stop and configure the Nessus

      server. This interface allows you to:

         Register your Nessus Server to in order to receive updated


         Perform a plugin update

         Configure the startup option whenever Windows starts

         Manage Nessus users

         Start or Stop the Nessus Server

           Figure B.2.1 Windows Server Manager Configuration

B.3 Changing Default Nessus Port

    Edit the nessusd.conf file located in C:\Program Files\Tenable\Nessus\conf\ to

    change the default port. These configuration directives can be edited to alter the

    Nessus service listener and Web Server preferences:

    # Port to listen to (old NTP protocol). Used for pre 4.2 NessusClient

    # connections :

    listen_port = 1241

    # Port for the Nessus Web Server to listen to (new XMLRPC protocol) :

    xmlrpc_listen_port = 8834

    Stop the Nessus service via the Nessus Server Manager and restart it.

B.4 Registering the Nessus Installation

  Register Nessus by clicking on “Obtain an activation code”. Two options exist.

The Nessus website will offer a HomeFeed and ProfessionalFeed version. The

website is at A ProfessionalFeed

is required for commercial use and offers plugin updates, customer support,

configuration audits, virtual appliance and more. A HomeFeed is required for home

users and not licensed for professional or commercial use. Required information is

provided and processed and an email that contains an Activation Code entitles you to

either the ProfessionalFeed or the HomeFeed of plugins. Enter the Activation Code

in the appropriate field and click on the “Register” button. Note that you will be

prompted to enter the administrator username and password. The Nessus Server

Manager authorizes the Feed Activation Code, and takes several minutes to update

the Nessus plugins. Functioanlity in the Nessus Server Manager is disabled until it is


  Note: Nessus Security Center is a centralized application that can be used to

manage Activation Codes for several Nessus installations.

B.5 Adding User Accounts

Click on the “Manage Users”button in the “Nessus Server Manager” dialog.

         Figure B.5.1 Activated Windows Server Manager Dialog

Click on the “+” button and enter a new username and password.

       Figure B.5.2 Nessus User Management Dialog

Enter the username, the password, the password again, and select

the “Administrator” checkbox to assign administrator credentials to the user.

           Figure B.5.3 Nessus Add/Edit User Dialog

Clicking the “Edit…” button will allow p maintenance. Click the “-” button

with a user selected will delete the user after confirmation.

                      Figure B.5.4 Nessus Login User Dialog

B.6 Host-Based Firewalls

      It is required that connections be allowed from the Nessus client‟s IP address

      if the Nessus Server is configured on a host with a personal firewall such as

      Zone Alarm, Sygate, Windows XP firewall or any other firewall software,

      The default port 8834 is used for the Nessus Web Server user interface. On

      Microsoft XP service pack 2 (SP2) systems, clicking on the “Security Center”

      icon available in the “Control Panel” presents the user with the opportunity to

      manage the “Windows Firewall” settings. To open up port 8834 choose the

      “Exceptions” tab and then add port “8834” to the list. Consult the

      documentation for configuration instructions for other personal firewall


B.7 Other Operating System Configuration

Configuration of other operating systems requires specific parameters for the desired

       results. Configuration is very similar for the different supported operating

       systems. The Graphical User Interface (GUI) dialogs can be used for the

       required configuration. Refer to the installation guides for the particular

       operating system and version for a complete detailed guide. The guides can be

       found at

Note: The configuration tasks can be done via Command Line Interface (CLI)

       directives. Configuration files can be edited for the desired configuration.

       Refer to the installation guides for the particular operating system and version.

       The guides can be found at ttp://

Appendix C

C.1 Subject Descriptors

ICS - Industrial Control Systems

ICS - Incident Command System

NIST - National Institute of Standards and Technology

SCADA - Supervisory Control and Data Acquisition

SDL - Secure Development Lifecycle

ANSI - American National Standards Institute

NERC - North American Electric Reliability Corporation

FERC - Federal Energy Regulatory Commission

OMS – Open Metering System

HMI – Human Machine Interface

AMI – Advanced Meter Infrastructure

AMR – Advanced Meter Reading

CIP – Critical Infrastructure Protection

TGB - Tower Gateway Base-Station

ALA - Active Line Access

 Appendix D

 D.1 Nessus Scan Performance Metrics

    Nessus scans were performed on the prototype and ISSG lab computers. The prototype

layout is shown in Figure D.1.

                                 Prototype Layout

        5/10/2010                     ENSDV / Cordova                          12

                           Figure D.1 Prototype Layout

 The Nessus scanner used was version 4.2.1 build 9119 with the ProfessionalFeed

subscription services with updated plug-ins. Full scans were performed with CGI,

Web application tests and thorough testing enabled. Safe checks were enabled.

       Target Machines                                   Seconds

    3Com SSS HP Procurve VXWorks                            723
    HP Jet Direct Printer                                   253
    Windows 7 Home                                          565
    Windows Server 2003 VM                                  242
    Windows XP Pro un-patched VM                            279
    Linux Kernel 2.6 VM                                     874
    Windows XP Pro patched - physical                       1153

            Figure D.2 Nessus Scan Performance Times on Prototype

 Several factors affect the scan time on the target machines. It appears that the scan

takes longer on machines that have web services installed. The Viva server took

5,272 seconds to complete. The scan appears to have found several web server‟s

instances of virtual Apache installations. Older machines such as the physical XP

patched machine on the prototype did not perform well. Several applications and

services installed on this machine have it in an “overloaded” condition. The machine

has a 1GHz PII with 512 RAM and is very slow when working on a modern

application. Many other factors affecting scan time performance include:

         Hardware

         Operating System

         Applications

         Services

         Network Infrastructure

         Nessus server Host

         Firewall

       Passive or Active IDS/IDP
 Note: For a more accurate assessment of Nessus scan performance, please refer to

section 4.1.13, Page 112, Nessus Scan Performance published by Tenable Nessus.

 Nessus scans were performed on the ISSG lab computers on subnets

and The scan discovered 34 machines active on the network. Full scans

were performed with CGI, Web application tests and thorough testing enabled. Safe

checks were enabled.

Target Machines                Seconds                  409                413                412                 5830                368                 417                 402                  455                530                1372                429                464                460                  461                 4864                 565                  456                 586                 675                 767                 701       320       324       385       362            1117            373          466        4233     354            372           5272         781         4587

Figure D.1 Nessus Scan Performance Times on ISSG Lab


Shared By: