Jump to content
  • Researchers say new attack could take down the European power grid

    Karlston

    • 63 views
    • 16 minutes
     Share


    • 63 views
    • 16 minutes

    Power grid in Central Europe uses unencrypted radio signals to add and shed loads.

    Late last month, researchers revealed a finding that’s likely to shock some people and confirm the low expectations of others: Renewable energy facilities throughout Central Europe use unencrypted radio signals to receive commands to feed or ditch power into or from the grid that serves some 450 million people throughout the continent.

     

    Fabian Bräunlein and Luca Melette stumbled on their discovery largely by accident while working on what they thought would be a much different sort of hacking project. After observing a radio receiver on the streetlight poles throughout Berlin, they got to wondering: Would it be possible for someone with a central transmitter to control them en masse, and if so, could they create a city-wide light installation along the lines of Project Blinkenlights?

    project-blinkenlights-throughout-the-yea
    Images showing Project Blinkenlights throughout the years.
    Credit: Positive Security

    The first Project Blinkenlights iteration occurred in 2001 in Berlin, when the lights inside a large building were synchronized to turn on and off to give the appearance of a giant, low-resolution monochrome computer screen.

    Hijacking 60GW of power

    The researchers, who presented their work last month at the 38th Chaos Communication Congress in Hamburg, Germany, wondered if they could control streetlights in Berlin to create a city-wide version, though they acknowledged it would likely be viewable only from high altitudes. They didn't know then, but their project was about to undergo a major transformation.

     

    After an extensive and painstaking reverse-engineering process that took about a year, Bräunlein and Melette learned that they could indeed control the streetlights simply by replaying legitimate messages they observed being sent over the air previously. They then learned something more surprising—the very same system for controlling Berlin’s lights was used throughout Central Europe to control other regional infrastructure, including switches that regulate the amount of power renewable electric generation facilities feed into the grid.

     

    Collectively, the facilities could generate as much as 40 gigawatts in Germany alone, the researchers estimate. In addition, they estimate that in Germany, 20 GW of loads such as heat pumps and wall boxes are controlled via those receivers. That adds up to 60 GW that might be controllable through radio signals anyone can send.

     

    “The fact that the same receivers that are installed in street lamps are also used for smaller solar power plants did not surprise us too much,” Bräunlein wrote in an interview. “When we understood just how much power is being controlled via this system, and it also being installed in the largest renewable power plants in Germany, that was more of a shock to us.”

     

    When Bräunlein and Melette realized how much power was controlled, they wondered how much damage might result from rogue messages sent simultaneously to multiple power facilities in strategically designed sequences and times of day. By their calculation, an optimally crafted series of messages sent under certain conditions would be enough to bring down the entire European grid. A grid security expert we contacted for this story doubts this assessment. More on this later.

    Ripple effect

    The continent-wide control system, formally known as Radio Ripple Control (Funkrundsteuerung in German), is derived from the older protocol Rundsteuertechnik, or Ripple Control. Implemented in the early 1900s, Ripple Control was made up of a series of decentralized tone (ripple) injectors at voltage conversion sites known as medium voltage transformers.

     

    Based on the messages in each telegram, the receivers would then send commands to connected devices that instructed them to perform a specific action. As radio technology became more prevalent, the cost of sending telegrams over the wire, compared with sending them over the air, grew large enough to prompt the creation of Radio Ripple Control, which is now used primarily today.

     

    Radio Ripple Control uses a frequency-modulation scheme known as frequency-shift keying to send telegrams. The earliest modems used the same scheme, which relies on electromagnetic waves to represent digital information over an analog channel. More specifically, frequency-shift keying encodes information by periodically shifting the frequency of a carrier between several discrete frequencies.

     

    The company that oversees this service is Munich-based EFR. Today, it operates three high-power, low-frequency transmitting stations, two in Germany and one in Hungary.

    funkrundsteuerung-radio-ripple-control-1
    A slide from the researchers' presentation showing a map with transmitter locations and bullet points.
    Credit: Bräunlein and Melette

    Anyone can listen to these signals using a software-defined radio tuned to the frequency corresponding to an antenna within range. A Netherlands-based SDR that can be accessed here will receive the signal from the transmitter located in Burg, Germany, when the SDR is set to a frequency of 140 KHz and the modulation to LSB. The radio will sound a tone that is interrupted roughly every 10 seconds with encoded information.

     

    The Radio Ripple Control in use today sends signals not just for managing streetlights and grid allocations throughout Central Europe. It also controls various other functions, including those for delivering weather forecasts, synchronizing times, and controlling electricity pricing tariffs. Roughly 300 customers, most of them electric companies, use Radio Ripple Control for grid allocations from small- and medium-sized renewable facilities.

     

    These customers—known as EVUs, short for Energieversorgungsunternehmen (power supply company)—use either a Web or VPN desktop app to send one of the three transmitters instructions to either feed power into or ditch power from the grid. The transmitter, in turn, sends the instructions as a telegram to a radio receiver located at the power facility the EVU wants to control. When grid supply exceeds the amount of power needed at a given moment, the telegram instructs the facility to withhold electricity from the grid. When supply runs low, the telegram will instruct the facility to feed in energy.

    No confidentiality, no authentication

    These signals aren't encrypted to provide either confidentiality or authentication. That means anyone can listen in, record them, and play them back over the same frequencies. People can go much further, as Bräunlein and Melette did, by learning to speak the same arcane language that Radio Ripple Control does.

     

    Among the first steps in the research duo's reverse engineering process was purchasing nine receivers—known as FREs in Radio Ripple Control parlance—from different manufacturers of the devices. The researchers then implemented an emulator of the real transmitter. To do that, they used an ESP microcontroller outfitted with a waveform generator and, for an antenna, a coil from a wireless phone charger. They used capacitors to tune their emulator to the correct frequencies. With that, the researchers could now send and receive telegrams in their lab.

    receivers-and-transmitter-emulator-1024x
    Credit: Positive Security

    Bräunlein and Melette eventually discovered that the message bits sent to the FREs are encoded using two protocols, one known as Versacom and the other Semagyr. The bits are then modulated through frequency-shifting keying to produce the radio signal containing the telegrams.

     

    The Versacom and Semagyr protocols are partially documented in standards set by the Germany Institute for Standardization.

     

    The researchers wrote:

     

    We collected messages that are sent by the original transmitters and tried to correlate it to what we read in the standards. Some information, however, is not described in the standard (e.g., EVU addresses and addressing usage). We could fill those blanks through PDFs we found online as well as from the actual data we recorded.

     

    To understand Semgyr, we also used some hardware reverse engineering (identifying chips, tracing PCB lines, etc.) and found one of the software solutions that technicians use to parameterize the receivers during installation, which also had some advanced functionality to read its memory and decode raw Telegram bytes to commands.

    The reverse engineering gave the researchers near-perfect fluency in speaking and understanding the Versacom and Semagyr languages. They put their fluency to use by using them to send telegrams that could indeed turn on and off simulated streetlights in their labs.

     

    More impressive still, they could use the language to send telegrams to FREs that control real electric systems in their lab, the same types that are connected to the real Radio Ripple Control system. The video below shows the researchers stopping a real 40 kWp photovoltaic system from feeding energy into the grid.

     

    Photovoltaic system disconnect.

     

    For ease, they used a Flipper Zero device they had configured to send the proper telegram to the photovoltaic system. They did this after discovering that the Flipper Zero's RFID reading mode could be used to send signals modulated with frequency-shift keying to receivers within a one-meter distance.

    flipper-zero-radio-ripple-control-1024x5
    Credit: Positive Security

    With confidence that an attacker could send unauthorized Radio Ripple Control telegrams that instructed real electrical systems connected to the grid, the researchers got to wondering: What's the maximum amount of damage a malicious actor—most likely one working for a nation-state—could inflict?

     

    The researchers surveyed the grid to measure the capacity of power that small- and medium-sized renewable facilities could feed into the grid. They arrived at the estimate of 40 GW. Combined with the 20 GW of load they theoretically can add, that amounted to an unbalanced capacity of 60 GW, enough to power roughly all of Germany. They posited that a sudden change that added or ditched that amount of electricity from the grid all at once could create enough instability to take it down entirely.

    Like dominoes falling over

    In a published summary of last month's presentation, the researchers explained their thinking behind the estimate:

     

    To understand, we need to look at the grid frequency. It’s 50 hertz, and it should always stay there.

     

    • If it reaches 50.2 hertz or more, interventions are triggered to reduce the supply. For example, using the technology we’re discussing today to turn off solar parks.
    • If the frequency drops below 49.8 hertz, other interventions occur, such as activating energy reserves or disconnecting industries that have contractually agreed to this happening. Also, the first hardware fails as it happened at Vienna airport.
    • If the frequency reaches 49 Hz or less, automated stepwise load shedding begins, up to 50% at 48.5 Hz. That might sound a bit technical and sober, but what it means for the European grid is over 200 million people without power.
    • At 47.5 Hz, power plants disconnect from the grid to protect themselves from damage. At that point, the grid needs to be rebuilt from scratch.

     

    In theory, with a fully loaded grid at 300 GW, creating a 1 Hz change to reach this private load-shedding threshold requires an imbalance of 18 GW. However, such a large imbalance—though not even that massive compared to the 60 GW estimate—has never been seen.

     

    In practice, one of the most recent incidents was in 2021, when approximately 3 GW of power were unexpectedly lost in Poland, causing the grid frequency to drop by 0.16 hertz. What this demonstrates is that the grid hasn’t yet faced such a significant imbalance.

     

    But if we start talking about imbalances of 18 GW, or 60 GW, or even more when considering other countries, there’s an additional issue besides the theoretical effect on grid frequency. That issue is power transfer.

     

    If a significant amount of power is missing in one region, it must be transferred there over power lines that could become overloaded. These lines might then shut off to prevent damage, which could overload other lines, causing them to shut off too.

     

    Such a domino effect—or cascadehappened in 2006, when a power line was shut off to accommodate a cruise ship transport. The planning wasn’t thorough, and a cascade of failures followed. So, the theoretical limits of the grid don’t fully capture the potential for much larger disruptions.

     

    Taking all of that into account, it’s clear there is enough power under radio control to cause serious trouble.

    multiple-deployment-strategies-1024x577.
    Diagram showing strategies for creating a network of renewable energy sources.
    Credit: Positive Security

    Send malicious telegrams to select FREs

    There are enough obstacles to make triggering such a catastrophic disruption challenging at best (Bräunlein's and Melette's assessment) or doubtful to unlikely (the assessment of an outside grid expert). The researchers noted three key requirements for such an attack.

     

    First, the attack must control a sufficient number of gigawatts (by the researchers' calculations (no one really knows how many). Second, it must overpower the legitimate signals sent by the three EFR transmitting facilities. And third, it must occur at an optimal time.

    conditions-for-grid-instability-1024x578
    Diagram illustrating conditions required to create serious instability in the grid.
    Credit: Positive Security

    The easiest way to trigger such a catastrophic disruption would be to take over the three EFR transmitters. One possible way for such a compromise is to hack into EFR's network remotely by, for instance, targeting vulnerabilities in the apps the EVUs use. Another is through a physical intrusion of each facility simultaneously. The researchers said that based on their observations, the transmitting facilities aren't particularly well-fortified against physical intrusions.

    efr-compromise-tactics-1024x575.jpg
    Credit: Positive Security

    In either scenario, the threat actor would then use the hijacked EFR transmitters to send malicious telegrams to carefully selected power generators.

     

    Another attack avenue would be to create rogue transmitters that would broadcast malicious telegrams. To override the legitimate telegrams sent by the EFR transmitters, rogue transmitters would have to be present in carefully selected locations so they could (1) reach the correct FREs and (2) overpower the legitimate signals.

     

    The researchers estimated the required effort by calculating and simulating transmitters with 10 kW of power and antennas approximately 500 meters long. To meet those requirements, they proposed building an amplifier powered by portable battery systems. An antenna 500 meters high could be erected in several scenarios.

    decentralized-transmitter-tactics-1024x5
    Credit: Positive Security

    The most plausible scenario for such a transmitter is tethering a strong wire from a kite or weather balloon. Radio amateurs have been using such techniques for years to build antennas as high as 1 kilometer, so the researchers built a kite version prototype. To comply with local laws, they limited the height of their kite to 100 m line length and radiated less than 1 watt of power on the 2.2 km amateur radio band.

     

    Kite antenna field test.

    Weebles don't fall down

    The attack and the research behind it are elegant, but the grid security experts I talked to said they're doubtful it's possible to carry it out in the real world the way it's envisioned. And even if it is, they question whether the 60 GW estimate is accurate. Albert Moser, a RWTH Aachen professor with expertise in power grids, said both assumptions are very possibly not true.

     

    "A sudden deficit of 60 GW will definitely lead to a brownout because 60 GW is far more than [the] reserves available," he wrote in an email. "A sudden deficit of 60 GW could even lead to a blackout due to the very steep fall of frequency that likely cannot be handled fast enough by underfrequency relays (load shedding)."

     

    He said he's unable to confirm that 60 GW of generation/load is controlled by radio signals. He was also unable to confirm that security measures for Radio Ripple Control are insufficient.

     

    Jan Hoff, a grid security expert with experience securing the European grid against malicious hacks, said he doubted that much electricity could be dropped quickly enough to cause even a brownout. He likened the grid to the roly-poly toys from the 1970s, which were built to be knocked around but not fall over. "That's a very good analogy for a grid," he said.

     

    Attacks like the ones Russian state-backed hackers used to cause blackouts in Ukraine in 2015 and again in 2016 attacked substations, the distributed facilities where many power wires come together and things turn on and off.

     

    He elaborated:

     

    Here, we're talking the potential to impact participants on the grid and not necessarily those interconnects.
 So we just have control over individual feed-in points, which just from the timing you have to get right with the amount of production you have in the grid and the amount of current load you need for the grid to be destabilized by simultaneously ending control messages to every single station. That's where I do understand [the researchers'] train of thought, and that's why it's still concerning. but it would be something different if those messages would be affecting substations directly.

     

    The immediate effect would be for the grid operators to see anomalies feed in and would see this equilibrium of load and generation shift in a way that they weren't anticipating. Then they would take their measures accordingly. So it would result in additional grid control actions. And those grid control actions are normal.
They are a day-to-day thing.

    The ability of the described attack to take down the Central European grid is very much contested. There's less debate that it's time to retire Radio Ripple Control and replace it with something that's harder to tamper with.

    iMSys to the rescue

    One possible replacement would be iMSys, short for Intelligentes Messsystem. It currently uses LTE, the same wireless transmission standard that carries traffic over 4G mobile networks. LTE uses encryption to provide confidentiality and antispoofing protection. Short for Long Term Evolution, LTE isn't impervious to hacks (see here, here, and here). However, it contains a robust security architecture that would add a significant layer of protection that is not possible with Radio Ripple Control.

     

    iMSys is currently used mostly for smart meters. Regulators are considering plans to run iMSys on a completely independent 450 MHz LTE infrastructure that's reserved exclusively for critical infrastructure. The researchers say that, unfortunately, the roadmap for rolling out this plan is slow and doesn't adequately prioritize securing the most vulnerable parts of the grid.

     

    imsys-rollout-roadmap-1024x598.jpg
    Credit: Positive Security

    Further underscoring the lack of urgency in moving away from Radio Ripple Control, the researchers said, the city of Hamburg recently updated its infrastructure to adopt the standard.

     

    Neither EFR nor Germany's Federal Office for Information Security responded to requests for comment.

     

    Ultimately, the debate over the ability of malicious hackers to trigger a continent-wide blackout is moot and a distraction from the issue that really matters. The use of unencrypted radio signals that anyone can send to control power sent from generating facilities to the grid is never a sound practice and greatly violates a defense-in-depth approach to securing critical infrastructure.

     

    Source


    Hope you enjoyed this news post.

    Thank you for appreciating my time and effort posting news every day for many years.

    News posts... 2023: 5,800+ | 2024: 5,700+

    RIP Matrix | Farewell my friend  :sadbye:


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...