Grid infrastructure could be at risk from a microprocessor vulnerability that has shaken up the IT industry, warn analysts.
Dima Tokar, co-founder and chief technology officer at the internet-of-things analysis firm MachNation, said a security loophole unveiled this month could be present in many energy plant components.
“This vulnerability is wide-reaching and affects many different [chip] makers,” he said. “Anyone operating mission-critical systems or infrastructure should assume they are vulnerable until they confirm otherwise.”
Ben Kellison, director of grid research at GTM Research, said it was still unclear how profoundly the problem might impact the energy industry. “If this issue is only a problem in shared cloud environments, I think grid operators will likely be fine,” he said.
“However, if the vulnerability is also present in local machines, then we may be in a different situation, as these desktops and laptops can be connected to both the corporate and operations network. If these are vulnerable, this could be a pretty sizable issue,” said Kellison.
All the evidence points to the latter being true. The Financial Times reported that the security flaw “stems from a pervasive vulnerability in chip designs that stretches back decades and has been found in almost all PCs, smartphones and servers.”
Solar inverters are known to be among the devices that could be compromised.
A spokesperson for SMA told GTM the company is “aware of the current bugs that are affecting several chipsets installed in different electronic devices, including, for example, PV inverters. SMA is taking this topic very seriously.”
An analyst note by MachNation’s Samuel Hale explained that the vulnerabilities allow non-privileged local applications to access areas of chip memory usually reserved for the operating system kernel.
“The practical impact is that any application running on a system may be able to access normally off-limits data, such as passwords, security keys or other sensitive information stored in-memory on the local machine,” Hale said.
Researchers have found two versions of the vulnerability. One, called Meltdown, lets a malware program penetrate the memory of other programs and operating systems. The other, Spectre, breaks the isolation between applications so attackers can crack error-free programs.
Google, which helped uncover the flaw several months ago, but kept it secret while the IT industry scrambled to put mitigation measures in place, said Spectre is harder to exploit but also harder to deal with.
“In fact, the safety checks of best practices actually increase the attack surface and may make applications more susceptible to Spectre,” Google said.
So far there are no documented cases of Meltdown or Spectre being exploited by hackers. But attacks would be hard to prove in any case, since the malware that might exploit the security flaws would be hard to differentiate from standard applications, and an attack would leave no trace.
Google estimated Meltdown would affect almost every Intel processor built since 1995. Meanwhile, the Spectre flaw is present on Intel, AMD and ARM processors used in mobile phones and desktop, laptop and cloud computers.
Tech firms rushed to offer protection after details of Meltdown and Spectre were released. But efforts to plug the processor flaws have been complicated by the fact that the fixes so far have had a measurable impact on computer performance.
The vulnerability also had a measurable impact on chip manufacturer share prices. Intel, which is thought to have the highest exposure to the problem, saw its stock falling more than 8 percent in value since the beginning of the year.
One hopeful sign for grid operators is that Cisco, the networking equipment maker, said the majority of its products are not vulnerable because they are “closed systems that do not allow customers to run custom code on the device,” according to Reuters.
The implication is that processor-equipped hardware not connected to wider networks, such as isolated supervisory control and data acquisition systems, may not be at risk.
Nevertheless, the proportion of such equipment is dwindling as generation plant owners and operators rush to connect their assets to the internet in a bid to gain greater operational insights and control.
Meltdown and Spectre come at a time of already heightened concern over grid cybersecurity, with insiders last year claiming energy system IT systems were open to breaches. Against this backdrop, Tokar advised energy companies not to take any chances.
“Private- and public-sector organizations should conduct an audit to identify and mitigate any risks posed by the vulnerability,” he said.