hacking the power grid
play

HACKING THE POWER GRID: WHY WE SHOULD ALL BE CONCERNED ABOUT IOT - PowerPoint PPT Presentation

Aug 04, 2023 •91 likes •427 views

HACKING THE POWER GRID: WHY WE SHOULD ALL BE CONCERNED ABOUT IOT SECURITY Presented by Computer Forensics & Cyber Security Expert: Lee Neubecker, CISSP https://greatlakesforensics.com My Blog: https://leeneubecker.com About Lee

  1. HACKING THE POWER GRID: WHY WE SHOULD ALL BE CONCERNED ABOUT IOT SECURITY Presented by Computer Forensics & Cyber Security Expert: Lee Neubecker, CISSP https://greatlakesforensics.com My Blog: https://leeneubecker.com

  2. About Lee Neubecker, CISSP, MBA • Lycos.com Group Product Manager 1998-1999 • Founded Forensicon, Inc. in 2002 - sold to QDiscovery in March of 2016 • Info Sec / Security Blogger 2016 - Present leeneubecker.com • HaystackID CISO, then promoted to CIO January 2018 through July 2018 • Founded Great Lakes Forensics August 2018 greatlakesforensics.com • Ranked one of the top Global Expert Witnesses in Cyber Security and Computer Forensics by Who’s Who Legal 2018

  3. September 11, 2019 Imagine how a cyber attack a year from today could impact us all

  4. Day 1 Without Power ● People Trapped in Elevators ● Flights cancelled everywhere ● Cell Phone Networks not working ● CTA & METRA Electric Trains Shut Down ● Most homes lose power (No refrigeration, a/c) ● Gas stations unable to sell gas (electric pumps) ● Hi-rise buildings without working windows swelter ● Traffic stopped with everyone trying to flee

  6. Days 2-7 Without Power ● Stores run out of consumer goods ● Internet largely not working ● Water Pressure Drops ● Food Begins to Spoil ● Cars and trucks clog roads (out of gas) ● Banks and ATM’s unable to disburse cash ● Credit cards don’t work (barter and hard currency only) ● Fires breakout through the city - Responder hell

  7. Great Fire of Chicago 1871

  8. Chicago 1968 Post Riots

  9. Days 8-14 Without Power ● Reserve fuel sources for generators depleted ● Distribution of consumer goods disrupted ● Medicine supplies exhausted ● Storms begin flooding basements ● Sewage starts to backup into homes ● Water supply contaminated ● Looters and crime everywhere ● Garbage piles up everywhere

  10. Garbage Piles Up

  11. Days 15-30 Without Power • Public water supply stops working • Disease and famine begin to take over • Hospitals lose backup power • Sick persons dependent on medication begin to die • Lawlessness takes hold • Every person for themselves

  12. The threat of cyber attacks on our power grid is real!

  13. Points of Vulnerability to Our Power Grid Direct attacks Indirect attacks

  14. USENIX Conference: Research Presented Aug 2018 Ma nipulation of D emand via IoT (MadIoT) https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-soltan.pdf

  15. Their Research: https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-soltan.pdf

  16. Types of Attacks on the Power Grid ● Attacks that result in frequency instability (sudden increase or decrease in power demanded of the system that can cause a disruption or significant variance in Supply and Demand) ● Attacks that cause line failures and result in cascading failures ○ Polish Power Grid Summer 2008 ■ 1% in the demand on the Polish power grid results in a cascading failure with 263 line failures and outage in 86% of the loads. ■ 210,000,000 Watts can trigger such an outage (Examples below) ● 210,000 Air Conditioners turning on at once ● 42,000 Electric Water Heaters turning on at once ○ Shift in geographic region of demand of power concentrated in a single region can cause line failures in adjacent region power lines ● Attacks that increase operating costs (5% increase during peak hours can result in 20% cost increase)

  17. Types of Attacks on the Power Grid MadIoT attack variations Graphic from https://www.usenix.org/system/files/conference/usenixsecurity18/sec18- soltan.pdf

  18. Types of Attacks on the Power Grid MadIoT attack variations ● Attacks the frequency by turning devices on and off in mass via Botnet to attack the power generation facilities via endpoint demand ● Attack much smaller number of devices in targeted geographic areas to cause line tripping as power flows between islands and neighborhoods (may trip lines and not be detected by the grid operator initially) ● Turning bots on and (off) in the importing (exporting) end of a tie-line to cause line tripping ● Increasing the operating cost during demand peak hours by increasing demand slowly (forces depletion of power generation reserves)

  19. Types of High Wattage IoT Devices

  20. Devices that Control High Wattage Devices

  21. Devices that protect most home IoT Devices

  22. Problems with many consumer firewalls ● Default username and passwords - easy automatic compromises, e.g., admin password ● Configured insecure by default ● Not fully patched before deployment ● Rogue firmware can be uploaded to compromise all connected devices through code injection ● Cable companies often have root credentials & control ● Telecom providers and desires of our U.S. Government to have Intel on Consumers hasn’t helped

  23. Vulnerabilities and Exploit Bonanza Since 2015 ● U.S. OPM Hacked June 2015 ● Hacking Team Code posted online in July 2015 ● U.S. Intel Weapons leaked online (Snowden, Vault 7, Shadow Brokers, Harold Martin, Reality Winner) ● Vulnerabilities and exploits used to compromise chips and routers have resulted in tons of problems ● Double Pulsar Port 445 SMB vulnerability revealed ● Broadcom Chip Vulnerabilities ● Processor Speculative Execution Vulnerabilities

  24. Botnets ● Takes over a large number of devices deployed around the world or targeted using known public facing port vulnerabilities ● Routers and other public facing devices targeted ● Used by nefarious actors to coordinate large scale DDOS attacks and to obscure the identity of the attacker(s)

  25. What needs to happen to secure IoT 1. Effective deployment of Firewalls in homes to block inbound traffic 2. Devices need to auto patch update their firmware 3. Default usernames and passwords need to be uniquely issued per device 4. Network segmentation of IoT devices on Guest Network with no peer access 5. Routers need to be hardened on home devices 6. Firmware verification needs to be readily available 7. Secure delivery of Patches or atleast the ability to validate the patch before installation 8. Adoption of stronger encryption algorithms to secure and sign firmware updates (SHA1, MD5 and less secure algorithms should no longer be used)

  26. What power companies need to do ● Be on alert for compromise from venders and strategic partners ● Implement Multi-factor authentication to protect (Something your Know) + (Something you are) or (Something you have) ● Monitor geographic consumption of power changes instead of the overall ● Artificial Intelligence development to respond to cyber attacks

  27. What Industry is Doing 1. CTIA The Wireless Association - The U.S. wireless industry’s trade association, recently announced the creation of a cybersecurity certification program for Internet of Things (IoT) devices that connect to the internet via LTE or Wi-Fi. (August 31, 2018) 2. GSMA - The GSM Association is an originally-European trade body that represents the interests of mobile network operators worldwide. GSMA has established a set of IoT cybersecurity guidelines and self-assessment tools that are similarly aimed at improving the security of IoT devices.

  28. What our Government is Doing ● Draft NISTIR 8200 Interagency Report on Status of 23 International Cybersecurity 24 Standardization for the 25 26 Internet of Things (IoT) https://csrc.nist.gov/CSRC/media/Publications/nistir/8200/draft/documents/nistir8200-draft.pdf ● State of Modern Application, Research, and Trends of IoT Act, or SMART IoT Act (Draft Bill – directs the Commerce Secretary to submit to Congress a report on the state of the IoT industry ● California SB-327 Information privacy: connected devices ● Internet of Things Cybersecurity Improvement Act of 2017 (Introduced but no action yet) - Sen. Mark Warner & Sen. Cory Gardner — an attempt to force companies that sell wearables, sensors and other web-connected tools to federal agencies to adhere to some new security standards.

  29. Q&A Lee Neubecker, CISSP, MBA President of Great Lakes Forensics https://greatlakesforensics.com lee@greatlakesforensics.com My Direct +(312) 300-4729 My blog: https://leeneubecker.com https://www.linkedin.com/in/leeneubecker/ https://twitter.com/lneubecker

  30. Smart Home Gone Wrong Mr. Robot https://player.vimeo.com/video/178324074

  32. Q&A Lee Neubecker, CISSP, MBA President of Great Lakes Forensics https://greatlakesforensics.com lee@greatlakesforensics.com My Direct +(312) 300-4729 My blog: https://leeneubecker.com https://www.linkedin.com/in/leeneubecker/ https://twitter.com/lneubecker

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Topics Top threats to US Power Grid summary Different backup power sources discussion

Topics Top threats to US Power Grid summary Different backup power sources discussion

How to decide which off grid Solar System is for you Topics Top threats to US Power Grid summary Different backup power sources discussion On/Off Grid Solar Products Compared to show you what things to look for (detailed version of

460 views • 25 slides
Power Grid Analysis Challenges for Large Microprocessor Designs Alexander Korobkov Contents

Power Grid Analysis Challenges for Large Microprocessor Designs Alexander Korobkov Contents

<Insert Picture Here> Power Grid Analysis Challenges for Large Microprocessor Designs Alexander Korobkov Contents Introduction Oracle Sparc design: data size and trend Power grid extraction challenges Early power grid

395 views • 24 slides
Financing on-site power in Myanmar On-site power for off-grid telecom tower Grid-tied rooftop

Financing on-site power in Myanmar On-site power for off-grid telecom tower Grid-tied rooftop

Financing on-site power in Myanmar On-site power for off-grid telecom tower Grid-tied rooftop solar for commercial customer 36 million Number of Myanmar people without electricity 217 kWh Average annual per capita energy consumption 15%

1.31k views • 10 slides
ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
Power Grid Impacts Resulting From Unintentional Demand Response J EFF D AGLE , PE Chief

Power Grid Impacts Resulting From Unintentional Demand Response J EFF D AGLE , PE Chief

Power Grid Impacts Resulting From Unintentional Demand Response J EFF D AGLE , PE Chief Electrical Engineer, Advanced Power Systems Pacific Northwest National Laboratory TCIPG Seminar Series on Technologies for a Resilient Power Grid February

680 views • 30 slides
Tri-Generation: Power-Heat-Cooli ling for Homes, , In Independent of the Grid id WADE

Tri-Generation: Power-Heat-Cooli ling for Homes, , In Independent of the Grid id WADE

Tri-Generation: Power-Heat-Cooli ling for Homes, , In Independent of the Grid id WADE DistribuGen Conference 2015 A Power System that 10 is 2 to 3 times as efficient as the utility grid power Entrepreneur Slides And capable of

1.08k views • 30 slides
Energy Storage Technologies for Grid- Connected and Off-Grid Power System Applications By By

Energy Storage Technologies for Grid- Connected and Off-Grid Power System Applications By By

Energy Storage Technologies for Grid- Connected and Off-Grid Power System Applications By By Faruk Ahmed Bhuiyan Graduate Student Electrical and Computer Engineering Dept., Western University, London, Ontario Supervisor: Professor

168 views • 16 slides
Smarter Electric Power Grid Smarter Electric Power Grid Mehdi Etezadi-Amoli, PhD. PE Mehdi

Smarter Electric Power Grid Smarter Electric Power Grid Mehdi Etezadi-Amoli, PhD. PE Mehdi

University of Nevada, Reno EBME Department Smarter Electric Power Grid Smarter Electric Power Grid Mehdi Etezadi-Amoli, PhD. PE Mehdi Etezadi Amoli, PhD. PE Professor and Chair Department of Electrical and Biomedical Engineering Presented

277 views • 15 slides
Technologies for the Smart Grid Smart Power Grid Technology Conference Dr. William Kao May 12,

Technologies for the Smart Grid Smart Power Grid Technology Conference Dr. William Kao May 12,

Technologies for the Smart Grid Smart Power Grid Technology Conference Dr. William Kao May 12, 2011 Agenda Smart Grid : what is it? Three important elements towards achieving SM: Architecture, Communications, Technology Five key SG

161 views • 15 slides
Options for an Autarkic Operation of a Communal Power Grid Using a Battery and Renewable Energies

Options for an Autarkic Operation of a Communal Power Grid Using a Battery and Renewable Energies

Options for an Autarkic Operation of a Communal Power Grid Using a Battery and Renewable Energies Eberhard Waffenschmidt IRES, Dsseldorf, 14. Mar. 2018 Prof. E. Waffenschmidt 2018 Future grid structure Cellular power grid: ?

275 views • 13 slides
Energy Transition towards a Cellular Smart Grid Community Grid Edge Flexibility & Power

Energy Transition towards a Cellular Smart Grid Community Grid Edge Flexibility & Power

GridSens & Smart Grid II Meeting Strathclyde 3 Feb 2016 Energy Transition towards a Cellular Smart Grid Community Grid Edge Flexibility & Power Quality Empowering Energy Citizens Building Regulated Smart

628 views • 46 slides
Grid Stability Enhancement by LVRT Retrofitting of Existing Wind and Solar Power Plants

Grid Stability Enhancement by LVRT Retrofitting of Existing Wind and Solar Power Plants

Grid Stability Enhancement by LVRT Retrofitting of Existing Wind and Solar Power Plants Kristoffer Qvist Nielsen Vice President Global R&D, KK Wind Solutions A/S 1 Contents 1. Introduction 2. Grid codes: why grid codes 3. Impact on grid

345 views • 10 slides
False-Positives, p-Hacking, Statistical Power, and Evidential Value Leif D. Nelson University of

False-Positives, p-Hacking, Statistical Power, and Evidential Value Leif D. Nelson University of

False-Positives, p-Hacking, Statistical Power, and Evidential Value Leif D. Nelson University of California, Berkeley Haas School of Business Summer Institute June 2014 Who am I? Experimental psychologist who studies judgment and

1.25k views • 88 slides
Big Data: Using Smart Grid to Improve Operations and Reliability LaMargo Sweezer-Fischer Power

Big Data: Using Smart Grid to Improve Operations and Reliability LaMargo Sweezer-Fischer Power

1 Big Data: Using Smart Grid to Improve Operations and Reliability LaMargo Sweezer-Fischer Power Delivery Grid Automation Manager FPL July 2014 2 NextEra Energy is a premier U.S. power company comprised of three strong businesses

348 views • 30 slides
Improving your Biological Power Hacking into your brain and body to maximize your results What

Improving your Biological Power Hacking into your brain and body to maximize your results What

Improving your Biological Power Hacking into your brain and body to maximize your results What is Endurance? Endurance is NOT Cardio Training Endurance is specific to the sport and event Sprinters vs. Marathon Runners/ Olympic Weightlifter

358 views • 22 slides
Power grid partitioning Data-Driven Partitioning of Power Networks Via Koopman Mode

Power grid partitioning Data-Driven Partitioning of Power Networks Via Koopman Mode

Power grid partitioning Data-Driven Partitioning of Power Networks Via Koopman Mode Analysis by Raak, Susuki and Hikihara Presented by Andr and Pontus http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/BlackoutFinal-Web.pdf 2

411 views • 27 slides
About La Maestra o Mission: To provide quality healthcare and education, improve the overall

About La Maestra o Mission: To provide quality healthcare and education, improve the overall

About La Maestra o Mission: To provide quality healthcare and education, improve the overall well-being of the family, bringing the underserved, ethnically diverse communities into the mainstream of our society, through a caring, effective,

446 views • 6 slides
The Warsaw Ghetto Uprising Exploring history, meaning and significance Learning objectives To

The Warsaw Ghetto Uprising Exploring history, meaning and significance Learning objectives To

Centre for Holocaust Education The Warsaw Ghetto Uprising Exploring history, meaning and significance Learning objectives To develop knowledge and understanding about the Warsaw Ghetto Uprising To think about what the meaning(s) of the

554 views • 18 slides
Global infection prevention and control 2018-22: a call for action EUNETIPS contribution Daniele

Global infection prevention and control 2018-22: a call for action EUNETIPS contribution Daniele

Global infection prevention and control 2018-22: a call for action EUNETIPS contribution Daniele Celotto Silvio Brusaferro EUNETIPS board coordinator Agenda GIPCN call for action EUNETIPS: presentation of the network EUNETIPS:

580 views • 39 slides
XLII Conference on Mathematical Statistics CCnet: joint multi-label classification and feature

XLII Conference on Mathematical Statistics CCnet: joint multi-label classification and feature

XLII Conference on Mathematical Statistics CCnet: joint multi-label classification and feature selection using classifier chains and elastic net regularization Pawe Teisseyre Institute of Computer Science, Polish Academy of Sciences Outline

462 views • 27 slides
Uplift modeling with survival data Piotr Rzepakowski National Institute of Telecommunications

Uplift modeling with survival data Piotr Rzepakowski National Institute of Telecommunications

Uplift modeling with survival data Piotr Rzepakowski National Institute of Telecommunications Warsaw, Poland Szymon Jaroszewicz National Institute of Telecommunications Warsaw, Poland Polish Academy of Sciences Warsaw, Poland HI KDD 2014

655 views • 19 slides
MSQL: A Query Language for Database Mining TOMASZ IMIELI NSKI imielins@cs.rutgers.edu AASHU

MSQL: A Query Language for Database Mining TOMASZ IMIELI NSKI imielins@cs.rutgers.edu AASHU

Data Mining and Knowledge Discovery 3, 373408 (1999) 1999 Kluwer Academic Publishers. Manufactured in The Netherlands. c MSQL: A Query Language for Database Mining TOMASZ IMIELI NSKI imielins@cs.rutgers.edu AASHU VIRMANI

754 views • 36 slides
Unusual Testing Lessons learned from being a Casualty Simulation Victim Nathalie Rooseboom de

Unusual Testing Lessons learned from being a Casualty Simulation Victim Nathalie Rooseboom de

Unusual Testing Lessons learned from being a Casualty Simulation Victim Nathalie Rooseboom de Vries van Delft _________________________________________________________________________________________________ Copies may not be made or

510 views • 23 slides
Definition of VaccineHesitancy V accine Hesitancy refers to delay in acceptance or refusal

Definition of VaccineHesitancy V accine Hesitancy refers to delay in acceptance or refusal

Definition of VaccineHesitancy V accine Hesitancy refers to delay in acceptance or refusal of vaccines despite availability of vaccineservices complex and context specific varying across time , place and vaccines Vaccine attitudes can

115 views • 7 slides

More recommend