To view this page ensure that Adobe Flash Player version 11.1.0 or greater is installed.
CYBER SECURITY BLEEDING SECURITY SSL SECURITY AND THE CONNECTED DEVICE Briefly put: A lot has been reported in the media around a variety of companies and the effect the Heartbleed vulnerability has had on these enterprises’ ability to secure their websites. Not that much, however, has been reported on the potential impact on utilities. Consider this scenario: Utility ABC has a certificate issued by a Certification Authority and uses this secured, authenticated means of communication to verify communications via its website with its customers. This certificate is stolen by John Doe and used to replicate communications from Utility ABC. John Doe then sends a digital communication to all users within Utility ABC’s distribution area, asking them to change passwords, verify information or update banking details. As customers do so, John Doe is able to monitor all communications between the Utility ABC and its customers, bleeding off information, banking details and passwords for later use. All very interesting, and a bit scary, but really – what does this have to do with Heartbleed vulnerabilities? And why should you as a utility be concerned? No one has access to your passwords and internet keys. Let’s take a step back… Every time a secure communication takes place, the communication is encrypted using the receiver’s public key. This key encrypts all communications, which can only be decrypted and therefore read with the user’s private key. Digital certificates operate exactly the same way, but are issued by third parties – called Certification Authorities (CA) – who verify that the owner of the certificate (hence website) is, in fact, who they claim to be. Keys and certificates form the basis of the trust relationship between the various players that use the web. Without these certificates, it is hard to verify that websites or communications are authentic. In theory, should any alterations be made to a certificate, or should an attempt be made to forge a certificate, the software will detect this and the contents of the communication (via websites or other electronic communication media) will not be validated and can therefore not be opened or accessed. Gavin Hill of Venafi, a cyber security company, describes digital certificates and keys as the foundation of your digital security – and stresses 20 that without a solid foundation, any other security measures will always be vulnerable. A bug like no other Heartbleed, a bug that may or may not have been introduced into the web deliberately, exploits a weakness or implementation fault of SSL (Secure Socket Layer) in the OpenSSL library, allowing certificates and keys to be identified and replicated, enabling hackers to eavesdrop on communications between companies and their customers, webservers or industrial control systems – without leaving a trace – making it very hard to identify if a company has been exposed to malicious activity. Symantec’s Candid Wueest of that company’s Security Response team, tells Metering International: “Heartbleed allows you to read information from the memory of the vulnerable machine – either from the server or the devices – such as passwords from previous users or payment information. If you log into the website – if you are checking your electricity bill for instance – and I use Heartbleed against the specific servicer, I could get your password, your details and even a glimpse of what you looked at. I could then log into your account myself, and I may even be able to cancel your service. This is quite easily done.” now be read and manipulated. It would be possible to impersonate another device or person. It is not unthinkable that a power station, for instance, could be commanded to increase or decrease power output to the point where the system was overloaded, or the output was so low that outages resulted. There have been cases where this has happened – in Austria and Switzerland where a small privately owned power plant that provided power for about 500 households was hacked. The owner, who for efficiency and financial reasons kept the operation of the system as lean as possible, was able to use his iPad to monitor power distribution and generation output. His access to the system was hacked, and this was used to access the power station and shut down the power. While this in effect ‘only’ impacted 500 households, the challenge of course is that with utility or power companies there is normally a cascade or domino effect – which could lead to even bigger black outs. According to Gartner, criminals use this information to cloak their activities, steal more keys and certificates and impersonate trusted web services, administrators and software. With more than 50% of the world’s web servers making use of SSL, the impact of any vulnerability can be fairly significant. There are tools that could enable an attack like this against any server. With some more patience – good timing and good attack execution – it would be possible to steal the SSL key from the server. Once you have this from the server’s communication, you can read and decrypt the server in clear text. After that – anything that is accessed can METERING INTERNATIONAL ISSUE - 3 | 2014