How to secure the smart metering infrastructure?

Klaus Mochalski

Hello and welcome to a new episode of OT Security Made Simple. I'm Klaus Mochalski, founder of Rhebo. My guest today is Kenneth Lampinen. Kenneth is with Landis+Gyr. For full disclosure, Rhebo has been part of Landis+Gyr for the past three years, so we have been cooperating closely. In this episode, we are going to specifically talk about one area of cooperation. But before we do that, Kenneth, can you quickly introduce yourself? What are you doing at Landis+Gyr?

Kenneth Lampinen

Sure. My name is Kenneth Lampinen. I'm actually based in central Finland, and I am the Head of Global Security Operations for Landis+Gyr. I've been with the company for about four, four and a half years now, so just a little bit before you guys came on board, actually.

Klaus Mochalski

Right. Landis+Gyr is building smart meters [and energy management systems], to put it very simply. Of course, there is an entire infrastructure around it. As probably all of our listeners may or may not have heard, smart meters, as they are smart and digitally connected devices, they also have a certain attack surface. In a sense, they form an IoT network. You could probably call it an industrial IoT network. As such, they need to be protected from a security standpoint. Rhebo has, for many, many years, been in the business of securing OT infrastructure, so operational technology. This industrial IoT infrastructure is really a part of operational IT. Or you could also say that OT is a part of IoT, so there are different ways, different angles to look at it.

Landis+Gyr and Rhebo have been working on integrating Rhebo's OT security solution to provide advanced security features for the smart meter products and solutions that Landis+Gyr is offering. Right now, we are in a process of launching it in the North American market, especially in the US market. With this, we are, of course, exposed to many specific security challenges that we find in this specific industry sector. You've been part of the team working on this rollout. What can you tell us about the current threat situation in the North American market, specifically in the area of smart meters, let's call it a smart grid infrastructure?

Kenneth Lampinen

Yeah. Yeah. I think if you look at smart meters, historically, security has always been a big part of making sure that smart meters are secure. We've worked and invested quite a bit in that. But I think if you go back quite a way, the thinking has been that the threats were really around the meters, the endpoints, and the communication on that metering network. And so thinking about things like fraud, thinking about things like very small scale attacks against the meters, not looking at it from the big picture that we have today in terms of the cyber threats that we have today.

If you fast forward from when smart meters came on the scene, maybe 15, 20 years ago, and to where we are today or even in the last three, four years, the threat landscape has changed quite a bit. The people that are attacking meters aren't just attacking to get free electricity anymore. They're attacking to go ahead and cause damage to hold information or operations ransom, so that they can get money. In some cases, to just turn off the electricity for whether that's political, geopolitical reasons, whether that's activism reasons. There are a lot of new threat actors that are out there.

The original designs of smart meters, their initial focus of securing the endpoint, securing the meter itself, to really securing the whole system today, it's changed because the attacks have changed, the threat actors have and what they're doing has changed. If you look at today where the biggest focus is, it's really around the whole metering system, and specifically the head-end of that system.

The head-end being the control point where meters communicate back to and where those meters are controlled. And being able to secure that, being able to monitor it, being able to […] understand what is actually happening in that environment – both the environment that the solution is installed in, so the IT environment, but also the OT application or solution itself, the metering networking system – […] is vitally important in order to securing our electric distribution infrastructure today. Now, in the future, it starts to change a little bit because we start to get into smarter endpoints and electric meters that are actually doing more than just electric metering and connecting to multiple things. But it's a little bit out in the future. Today, really, to the question that you asked, it's really about these systems as a whole and the endpoint in particular.

Klaus Mochalski

That's quite interesting. You're already touching on the infrastructure part of it, so how to protect such an infrastructure. Let's get into this in a second. But you also mentioned two different types of attacks that we are seeing very commonly in many, many different areas. Apparently, also in the smart metering environments.

You mentioned ransomware attacks that we see very often in any IT infrastructure in the world. You also mentioned the state-sponsored threat actors, and they pose different risks. The one site, they hold you a ransom, and they are after the money, basically. The other, they probably want to use this access as leverage in any type of conflict. Right now, we are in the middle of... There are lots of conflicts. How would you estimate the different threats on both sides?

If I'm an operator of a smart meter infrastructure, let's say I'm an electricity distribution company, and I operate, let's say, 3 million smart meters in the field. What's my biggest threat today from your perspective, from what you've seen over the past months and maybe a few years?

Kenneth Lampinen

Well, I think the biggest risk continues to be ransomware, because it's very immediate. It's something that's continually going on. We see it across all industries, not just energy distribution, but it is affecting energy distribution as well. And there's a lot of immediate financial incentive to enact those types of attacks today.

When you look at threat actors in the geo-political situation, there's not the immediate risk necessarily to enact an attack that would shut down electricity, but there is a lot of activity that is going on around pre-positioning to enable those attacks. And so being able to monitor to understand what's happening there as well is very important because that activity is also happening today. But I would say if you had to choose between the two, what's the most immediate one? It is ransomware.

Klaus Mochalski

It's probably also a bit of the distribution between risk and consequence. What's the biggest risk? Apparently, the biggest risk is being hit by a pretty standard ransomware attack if you don't secure your infrastructure properly. But the consequence is probably higher if you are targeted by a state actor attack, which has the only goal to bring down your infrastructure, basically, turn the lights out. But looking at consequence, what's the most likely consequence? What's happening in an average case during a ransomware attack if such an attack is successful in a smart meter infrastructure.

Kenneth Lampinen

Yeah. A lot of the attacks that you see in ransomware are impacting the IT portion of a utility, for example. But that can bleed over into the IT portion of the OT operations, which can be just as serious in effect.

Klaus Mochalski

You mentioned earlier the head-end system, which I understand is the management system for the smart meters out there. I imagine this would be a system that could be affected by such a ransomware attack, right? Not to be [the target] directly, probably.

Kenneth Lampinen

Yeah. I mean, typically those are on segmented networks, but they run on Windows. They run on standard IT systems. And so, if those environments in which those solutions are run are infected by ransomware, they're going to be just as vulnerable as any other system. I think in those cases, what you're looking at is for the head-end system the most likely scenario is [getting] encrypted and you're not able to go ahead and get your billing data. You're not able to charge. It doesn't necessarily turn the lights out.

The scarier scenario is where you have a more hands-on attack, and maybe prior to that, you have a more savvy threat actor who goes in, turns off the meters, and then encrypts your data, and then it turns off the electricity. It basically incapacitates the entire system. Those types of scenarios are also possible and things that you'd want to avoid.

That's why monitoring is so important and really understanding what's happening in your environment, in the OT level as well as the IT level. But I think if you look at financial incentive, where threat actors are often going for scale and looking to standardize their attacks as much as possible, most likely your system is incapacitated, you're not able to get billing data, you're not able to make changes. So maybe some incremental things or outages or things like that, you're not able to make corrections. But not all the lights would necessarily turn off if you just turned off your head-end system.

Klaus Mochalski

Right. So, the operator would face a financial disaster, but not necessarily, let's call it a national disaster, where a bigger part of the infrastructure just fails and we don't have any electricity.

Kenneth Lampinen

Correct. Yeah.

Klaus Mochalski

Okay. Then you described a bit about the infrastructure. We have the head-end system, so the central management system. We have the smart meters, and there are probably more pieces of the infrastructure.

You also mentioned, and this is very common to what we are hearing in nearly every other industry regarding OT security, that first and foremost, transparency is key to understand what's going on, to basically get early warnings. If you don't have any measures in place, you need to have this early warning system that you can actually see something like a ransomware attack or espionage for a later state-sponsored targeted attack against the infrastructure happening very early on.

For an operator who is just starting their journey towards a higher level of OT security in their smart grid infrastructure, what would you recommend or what are your recommendations generally as first steps? Where do you start? Because if you look at the problem, it can be overwhelming. Looking at the first steps that provide the biggest merit, the low-hanging fruits, so to say, what would these be?

Kenneth Lampinen

Well, I think it's really important to be able to understand what's happening in your environment. You need to be able to monitor the different traffic that's happening, the different activities that are happening, both from an IT perspective and from an OT perspective. You need to be able to look across that data in both sets of data and look at it from an attack mindset.

It's also really important, in addition to monitoring, that you understand what that data means, right? And you understand what telemetry data appears to be internal and normal, what's an anomaly, internal normal, and then what's an anomaly, externally. And specifically, being able to attribute it to malicious type of activity or threat actors is extremely important.

So, understanding if it's coming from a specific IP address, that's a malicious IP address. Understanding that that activity shouldn't be happening. Understanding if there are certain file hashes that you see in your environment, that means that there's been a threat actor that's been in your environment. Just those very basic things are very important starting points.

And once you're able to do that, you're able to get a better understanding of really where you're at. Also, I would add to this that when you're doing this monitoring, a lot of times you'll find things like misconfigurations, especially from a security standpoint. And understanding that, getting those low-hanging fruit misconfigurations fixed is also super important in that battle. But you have to start with understanding, understanding where you're at, understanding your environment, and then understanding the threat actors and if they're interacting with you.

Klaus Mochalski

Right. It sounds like the first steps would be a baselining, understanding what you have, what's already there, what's supposed to be, what's not supposed to be there. From this, establish a infrastructure-specific risk assessment. Where are my specific risks? They may be similar to other players in the industry. They may be somewhat different, somewhat biased towards let's call it personal risks or technology risks, depending on what technology I'm operating. But risk assessment is probably always a very good first step.

Kenneth Lampinen

Definitely. The other part I'd add there is on the threat side, understanding who your threats actually are, because there's a lot of different ransomware groups and there's a lot of different threat actors out there. It can feel very overwhelming. But there are specific ones that target electric. There are specific ones that target utilities, and they're different than some of the other ones. And those threat actors have very specific ways of working. So, you can really narrow [it down]. Once you have the proper information, you can narrow down any actions that you need to take to very specific actions. And you shouldn't feel overwhelmed by it. Yes, there's upfront work, but once you get there, once you understand yourself, and once you understand your enemy, it gets down to classic warfare type of ideology. But once you understand those two things, It's pretty straightforward what you need to do in order to get yourself in a secure situation.

Klaus Mochalski

This sounds pretty simple. But let me get back to the feeling of being overwhelmed that many customers [experience]. It’s one thing working on understanding yourself and your own infrastructure. That's something that everybody should strive to do as best as possible. But what you just mentioned, understanding the threat landscape is something entirely different. Much more complex, much less transparent, much less discoverable for the average player.

How much resources would you devote to this part? We all agree that we need to understand our own infrastructure, otherwise we can't really protect it. But how much should I, as an infrastructure operator, devote to really understanding what's going on out there in terms of threats? Or should I leave this to my service provider, for instance?

Kenneth Lampinen

Well, I guess it really depends on how you're set up and how your security operations are set up, if you've got these completely outsourced. But I mean, typically, especially from an OT perspective, a lot of that's handled internally and working with internal security operations.

And I guess what I would say is this: I find threat intelligence management and that work to be extremely important just in terms of being able to maintain sanity in a very complex world. Because what it helps you do is really prioritize what it is you need to do. I mean, it's impossible to eliminate all risk, right? We don't live in a risk-free world. But what it helps you to do is to really understand where the big buckets of risk are, where the biggest threats are, where the priorities are in terms of what you need to fix internally.

I think a lot of organizations... It's one thing to understand your organization. In some ways, OT is... I don't want to minimize its complexity, but in IT – just the nature of it, the constant change, the constant use of very complex systems and multiple systems – it can be hard to really get a nice, clean environment where there's a simplicity that you're able to sleep at night without even worrying a little bit. In OT, I think, the architectures are clearer. They're a bit more straightforward even when they're complex, and they're more stable in many ways.

You have these two environments that come together. But from a threat intelligence perspective, the IT portion is the part where you're going to be the most worried. It's the more complex, it's the more dynamic, it's the [one with] more change, it's the more targeted. And if you're able to go ahead and home in on what the pieces are there that we need to work on in order to lower our risk – what are the biggest buckets that lower our risk the most – I think you get a lot of bang for your buck.

It's hard to say what percentage of your effort should be related to threat intelligence. The way I look at it is what amount of threat intelligence gives me enough insight to lower the big buckets of risk. It's going to be different for every company. It's going to be different for every organization [because of] the way that they're set up.

Klaus Mochalski

Most of it resides on the IT side anyways. This is where the biggest threats come from. This is also what we've seen from customers in different markets. That there are very few targeted OT attacks, but there are many, many IT attacks, and some of them spill over into OT. This is where we have to watch closely. There's common consensus that you, of course, need to protect your IT infrastructure. Basically, you get a free ride. If you do this properly, then you're not doing too bad on the OT side either.

Probably also… I found it interesting what you mentioned about complexity of OT. Because many people in OT complain about its complexity relative to IT. In IT, we only have a couple of Windows servers. Ideally, they all run the same version, so it's much less complexity. But if you look specifically at the smart metering infrastructures, here is probably true what you said, because you have the system of a certain type, and then you have the meters. Of course, there may be revisions of meters, but how many can there be? It's not going to be 100 different versions. They are probably also coming from one to maybe three vendors the most. You only have a very limited amount of device types. So, it should be very simple – if you have proper IT security measures in place – to basically extend the security to these connected devices as well.

Kenneth Lampinen

Well, and the other thing that I would say for OT environments is you don't have as many people doing random things. That's true. There are more defined processes. I think the environment in some of this can obviously be very complex. But you don't have thousands of employees all deciding that they want to just install their own software today or visit a malicious website. Or all the things that people do as a daily part of doing their work or interacting on the Internet. You don't have that as much in OT environments. And I think that alone, that combined with more defined processes make it easier from a security aspect, at least.

Klaus Mochalski

I think that's a very nice closing remark. Don't worry too much if you're running a smart grid infrastructure because the problems are probably not as bad as the problems that you need to manage in a typical IT infrastructure. Good practice on IT needs to spill over to the OT side as well. That's always a good starting point. Start with a risk assessment, understand what you're doing internally, what your infrastructure looks like.

But also spend some cycles, as you mentioned, to understand what you're up against. Probably use exchange forums to understand what's going on in your specific industry, talking to peers, looking at thread newsfeeds, these things, and then you're set up pretty well as a first step.

Kenneth Lampinen

Yeah, definitely reach out to your industry, your ISAAC. In North America, it would be E-ISAC. They share a lot of great information, a lot of best practices. It's a great organization to be involved with, great place to get started.

Klaus Mochalski

Right. Very good. We didn't get to talk about regulation and organizations in a specific market. Maybe let's do this in a follow-up episode. But so far, I found this discussion about the specific threats very interesting. Thank you very much for being here and for the interesting insight into this specific area.

Kenneth Lampinen

Thank you. It was great being here.

‍