# C suite panel vid draft ### Stuff we need * The C-Suite wants a briefing tomorrow (10/23/23) about the risks that the smart meter attack will pose to the company * the network admin team is severely understaffed and behind schedule. * you have decided to focus the briefing on the business risks to the corporation rather than a technical walk-thru of vulnerable network assets **OVERVIEW** * What are the risks of a large number of customers' smart meters being compromised * What is the summary of strategy to reduce these risks * What are the high-priority recommendations to protect infra * What are 3-4 high-priority actions to improve the overall security posture of the system * Include staff training needed * Include discussion of tools & capabilities * Include an estimated cost, timeline, and benefits/justification The C-Suite (CEO, CIO, and COO) is concerned that the recent series of smart meter attacks may impact DER8.9's business. The C-Suite wants a briefing tomorrow (10/23/23) about the risks that the smart meter attack will pose to the company. You know that an understanding of the company's network architecture is a key factor in your risk determination. But unfortunately, the network admin team is still in the process of mapping your network and its assets. (Note: you assigned this task to them a month ago, but the network admin team is severely understaffed and behind schedule.) They won't be able to provide you with any data until next week. In the meantime, they assure you that there is a corporate firewall that should mitigate most attacks. Therefore, you have decided to focus the briefing on the business risks tothe corporation rather than a technical walk-thru of vulnerable network assets. The participationof at least two members in the recorded video is expected and contributions of other team members should be acknowledged. Keep in mind that the C-Suite is a primarily non-technical audience, and that current funding is extremely limited or non-existent and all actions you are taking should use free or open-source tools (for the business). a. Include and discuss any recommended staff communication, training, potential staff/management changes that could help mitigate the ~~ongoing attacks~~, reduce risk of future attacks, and improve the DER8.9 security posture. Highlight any future assessment and monitoring actions you propose. b. Discuss any additional resources (tools, staffing, capabilities, etc.) that are needed to implement your recommendations.c.Include an estimated cost, timeline, and benefits/justifications for your proposed recommendations. Note: There are dozens of recommendations that you could make, but the C-Suite is extremely busy so you will need to prioritize your top three or four recommendations to present to the C-Suite in “tomorrow’s” briefing ## Part 1: Intro Good morning. Thank you for joining Team 039 in this security briefing on the recent smart meter attacks I am Ben, the technical lead, and I am joined by Naresh and Adam. ## Part 2: Business + Customer risks As a DER management company, we are responsible for critical infrastructure and it is imperative that we maintain a strong security posture. A security breach in * Smart meters have an advertised life expectancy of 10-20 years - Beyond that, they are time-consuming and costly to replace. - As a result, a compromise in their security involves significant amouts of risk for both business interests and customer assurance and safety. * For the business, DER infrastructure / smart meter compromise is a risk because: - Reason #1: It opens up the possibilities to energy theft, whereby exploited devices may report false power analytics if DER security is not prioritized. Widespread instances of client energy theft means a net loss in revenue that can quickly scale up. - Reason #2: In the event that the attackers extend their compromise beyond a local exploit (e.g. hacking their own smart meter), the digital infrastructure of the company may be at risk, which threatens access and control over all client power usage. That is to say, instead of having just a few clients with faulty energy usage reporting, the company would no longer be able to monitor anyone's energy usage, and entire sections of the power grid in itself may be shut down and unusable which may imply rapid monetary damages * For customers, DER ifnrastructure / smart meter compromise poses a risk due to: - Reason #1: Power loss: Attackers may be inclined to attack a power grid for a variety of reasons, and sometimes those reasons include what we call a denial of service. This may be done to demand monetary compensation, or simply to cause damage. The end result of this may include a loss of power for customers that form part of the comrpomised power grid section. - Reason #2: Personal info disclosure: Although our smart meter and DER systems very rarely transmit any kind of personal information, a skilled enough attacker may be able to gain enough of a foothold to reach our internal customer data storage ## Part 3: Strategy to reduce risk Logging Security - Compliance with IEEE thing - - Talk about exposed attack surface on the physical devices themselves - e.g. Hardware debug ports - Audit systems for malicious activity - Install an IDS/IPS for quarantining and controlling suspicious components ## Part 4: High priority recommendations * Centralized, managed logging * Standardized testing methodology [1] [Too wordy, make concise pls] * Ensure safe recovery and clear installation instructions. * Use digital signature checks and verify firmware integrity. Prioritize data validation, DoS protection, and interface minimization. * Report security events and protect log integrity. * Implement strong random number generators, message encryption, and integrity protection. * Log intrusion attempts, secure data components, and seal the device perimeter. * Separate functions during attacks and maintain security during failures. * Implement role-based access, strong authentication, and account lockouts. * Enable remote security updates, ensure future resource availability, and comply with cryptographic requirements. * ## Resources [1] https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10146320/#B5-sensors-23-04043 [2] https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7412105/