Skip navigation
All Places > PI Developers Club > Blog > 2009 > March

'Smart Grid' may be is vulnerable to hackers!


CNN broke the story this weekend. In the story, IOActive determined that attackers are able to “take command and control” of the advanced meter infrastructure. Big news? No.


The article goes on with expert claims about blackout scenarios.  Indeed, have Kaminsky and IOActive, (the guys who discovered the internet-wide DNS flaw) turned attention to the power grid?


If so, hurrah! The more ‘good’ guys looking at the smart grid security the better.  It's kind of interesting just 10 days prior, the AMI-SEC task force released AMI System Security Requirements.  This specification helps people understand just how big the application space is for AMI and Smartgrid. There will be bugs and some will be security bugs.  Full Disclosure (OSIsoft is a member of UCA, the parent organization sponsoring AMI-SEC).


Waiting to solve all the security challenges is not really an option. Most security experts will tell you there is no end game in pursuit of a perfectly secure network, computer system or smart meter. You simply can’t prove absence of a bug.


All control systems should be implemented with a cyber security defense in depth strategy to slow and deter hackers.  PI is frequently one or more of the layers in security topology.  We expect security performance and monitoring in PI will also be one of the application topologies for AMI/Smartgrid implementations.


One of the reasons I like this approach is the potential to implement sanity checks on commands at a higher level.  So you want to disconnect a meter due to a move out, what’s the current load? Is there a load on the meter, does the load exceed historical norms for the intended customer? Are parent transformer and substation assets healthy?  These kind of checks will be difficult to implement in the head end system or final control elements.


Sure, I’d bet my bottom dollar that IOActive has found a flaw in AMI or SmartGrid technology. I've even seen demonstrations where encryption keys have been extracted from chips using hypodermic needles as conductor leads (Yes, smart meter circuits are now being physically secured in a block of epoxy).  But let’s be serious, the control logic to simultaneously open thousands or millions of meters doesn’t exist.  Target a main breaker on the EMS system, now that’s a juicy target.

If you've been reading in the "development blogosphere" lately, you probably heard about Microsoft's MIX09 conference going on as we speak read, which conference exposes the latest Microsoft technologies for web designers and developers. One of the key topics in that conference (31 sessions in 3 days!) is Silverlight 3 (beta). In my humble opinion, one of the most important new features is the out-of-browser experience, a highly requested featured which enables Silverlight 3 applications to run as desktop applications on Windows and Mac computers.


I don't pretend having better blogging skills than the 100's of bloggers talking about that , so what I suggest is that you read Tim Heuer's blog post on the topic. Tim works for Microsoft as a program manager for Silverlight, and I found this blog post to be the most complete and comprehensive on Silverlight 3. Happy reading!

Some of you may be aware of the “Cyber Security Audit and Attack Detection Toolkit” research project at Digitalbond.  The audit component of the project works with the Nessus vulnerability scanner to assess policy compliance across both host and application specific settings.


One part of the checks for PI examines SMT tuning parameters (aka. PI timeout table).  A PIconfig script is used to export the table. In a catch22 kind of way, PIconfig prompts for a password when the system is set to “checkutilitylogin”.  Thus you could expect to find a clear text password in any PIconfig script built for unattended execution.


Restricted permissions on the script file offers some protection but we can do better with Powershell.


#initialize local variables




# if no password file prompt for password and save the file


if (-not(Test-Path $pwfile)) {


$bytes = read-host "Enter PI password for $piuser to generate security audit data" -assecurestring


$bytes | ConvertFrom-SecureString | Set-Content $pwfile -force






# read the password file


$bytes = get-content $pwfile | ConvertTo-SecureString


$pipass = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($bytes))




$picmd = "start /b /wait $piconfig input $bandolier\secaudit-piconfig-timeouts.txt exit -localuser $piuser -localpass $pipass


cmd /c $picmd



Powershell secure strings use the Windows data protection APIs. The default key is part of current user context so it’s important the task runas the same user account that initially generates the password file.


Given the power of Powershell and the lessons learned from exploit of the Windows Script Host environment, it’s no surprise that script execution is disabled by default!

How many of us have had a hard time staying up-to-date with all the things that come out each day? I bet all of us, imagine sending those trends on a day-to-day basis... oh, that should be hard.


So, how about that guy named Atlas? Yeah, the guy that was carrying the world wide web on his shoulders, wait... what??? what do you mean there was no WWW on his days? Ohhh, I see. I have found and now share with you a couple of links that will, hopefully, make your life easier, put you up to date, and make it for an overall better user experience using Ajax 2.0 with Microsoft .NET Framework 3.5


You can find the Official AJAX.NET Homepage where you can get the latest version of this framework (and believe me, you so want to get it).


Maybe you'll need a little more convincing... I'm up for that challenge, and I'm presenting you a little bit more of eye candy in this ASP.NET Ajax Control Toolkit feel free to play with it, configure it, and fall in love with it. I really intended to put some screenshoots of this here, but it does not have the same feeling, you need to go there and see for yourself! Trust me on this one.


You will see something like this. See the big list on the left side? all of those are Controls! Go go go!


And last, but not least important, if you call now you can get all this for the incredible web-offered price of... hehehe, too much infomercials for me. You can get it for free, it does integrate well with Visual Studio, and a Microsoft team (plus a lot of external collaborators) are working to make this available for everyone to use, so... what are you waiting for? get to the download page and start using the ASP.NET Ajax Control Toolkit with your OSIsoft's SDKs! (Marketing told me to put that here. hehe.)


I hope you enjoy this, I'll be playing with these controls this week.


Stay tuned!




P.S. Just for a little bit ofbackground AJAX is a Web2.0 technology that allows changes in a webpage with a seamless refresh, it is becoming comonly used and is an acronim for 'Asynchronous JavaScript And XML', Atlas was the codename for the AJAX Control Toolkit.


-- Links --

In my last post (AdHoc Calculations in RtWebparts (1)) I have shown you a simple dataset that takes a PE like expression and calculates it.
In RtBaseline Administration the Dataset would look like:


In this post I am going to show you how to use it in a very simple display.

The Web Part Page

  1. We create an empty web part page and add a Form web part AddFormWebPart.jpg to it.
  2. We add an RtTrend web part AddRtTrend.jpg.
  3. Now we connect the two web parts:

  4. The RtTrend needs to know where

    and what Information it gets from the Form WebPart:

  5. So we are ready to hit OK. As a first test let us try 'CDT158'+'SINUSOID'+1000:

  6. We finally have created a web part page where an end user can enter a PE formula and gets a trend of it!

Filter Blog

By date: By tag: