Hardware-Layer Intelligence Collection for Smart Grid Embedded Systems

  • Charalambos KonstantinouEmail author
  • Michail Maniatakos


Smart grids include a variety of microprocessor-based embedded systems, interconnected with communication technologies. In this interaction, hardware is the lower level of abstraction. Insecure and unprotected hardware design of smart grid devices enable system operation compromise, eventually leading to undesirable and often severe consequences. In this paper, we discuss how the hardware of grid equipment can be used to collect intelligence utilized towards beneficial or malicious purposes. We consider different access scenarios and attacker capabilities as well as equipment location in the grid. The outcome of “hardware hacking” is examined in both device and grid operation levels. Finally, we present hardware hardening techniques, aiming to make components attack-resistant and reduce their vulnerability surface.


Security Hardware Embedded systems Intelligence Smart grid 



  1. 1.
    Electric Power Research Institute (EPRI) (2016) Security architecture methodology for the electric sector, version 2.0 [Online]:
  2. 2.
    Leszczyna R, Egozcue E, Tarrafeta L, Villar VF, Estremera R, Alonso J (2011) Protecting industrial control systems-recommendations for europe and member states. Technical report, European Union Agency for Network and Information Security (ENISA)Google Scholar
  3. 3.
    Beresford D (2011) The sauce of utter pwnage. [Online]:
  4. 4.
    McLaughlin S, Konstantinou C, Wang X, Davi L, Sadeghi A-R, Maniatakos M, Karri R (2016) The cybersecurity landscape in industrial control systems. Proc IEEE 104(5):1039–1057CrossRefGoogle Scholar
  5. 5.
    Bloomberg Businessweek (2018) The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies). [Online]:
  6. 6.
    Karri R, Rajendran J, Rosenfeld K, Tehranipoor M (2010) Trustworthy hardware: identifying and classifying hardware trojans. Computer 43(10):39–46CrossRefGoogle Scholar
  7. 7.
    Konstantinou C, Keliris A, Maniatakos M (2016) Taxonomy of firmware trojans in smart grid devices. In: Power and energy society general meeting (PESGM), 2016. IEEE, pp 1–5Google Scholar
  8. 8.
    Lee R, Assante M, Conway T (2016) Analysis of the cyber attack on the ukrainian power grid. SANS Industrial Control SystemsGoogle Scholar
  9. 9.
    SANS Industrial Control Systems Security Blog (2016) How do you say Ground Hog Day in Ukrainian? [Online]:
  10. 10.
    NIST, US (2010) Guidelines for smart grid cyber security. NIST IR-7628Google Scholar
  11. 11.
    Konstantinou C, Maniatakos M (2016) A case study on implementing false data injection attacks against nonlinear state estimation. In: Proceedings of the 2Nd ACM Workshop on Cyber-Physical Systems Security and Privacy, CPS-SPC’16. ACM, New York, pp 81–92Google Scholar
  12. 12.
    ICS-CERT, U.S (2016) DHS. [Online]:
  13. 13.
    Grand J (2004) Advanced hardware hacking techniques. DEFCON 12:59Google Scholar
  14. 14.
    Han Y, Etigowni S, Liu H, Zonouz S, Petropulu A (2017) Watch me, but don’t touch me! contactless control flow monitoring via electromagnetic emanations. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM, pp 1095–1108Google Scholar
  15. 15.
    United States Army (2018) Army Nuclear Power Program (ANPP) [Online]:
  16. 16.
    Defense Information Systems Agency (2018) Department of Defense Information Network - Approved Products List) [Online]:
  17. 17.
    Konstantinou C, Maniatakos M (2015) Impact of firmware modification attacks on power systems field devices. In: 2015 IEEE international conference on Smart grid communications (smartgridcomm). IEEE, pp 283–288Google Scholar
  18. 18.
    Wang X, Konstantinou C, Maniatakos M, Confirm R. Karri. (2015) Detecting firmware modifications in embedded systems using hardware performance counters. In: Proceedings of the IEEE/ACM International Conference on Computer-Aided Design. IEEE Press, pp 544–551Google Scholar
  19. 19.
    Vuagnoux M, Pasini S (2009) Compromising electromagnetic emanations of wired and wireless keyboards. In: USENIX Security symposium, pp 1–16Google Scholar
  20. 20.
    Tsoutsos N, Maniatakos M (2014) Fabrication attacks: Zero-overhead malicious modifications enabling modern microprocessor privilege escalation. IEEE Trans Emerg Top Comput 2(1):81–93CrossRefGoogle Scholar
  21. 21.
    Schweitzer Engineering Laboratories (2018) SEL-3355, Rack-mount Rugged Computer) [Online]:
  22. 22.
    Jiang R, Lu R, Wang Y, Luo J, Shen C, Shen XS (2014) Energy-theft detection issues for advanced metering infrastructure in smart grid. Tsinghua Sci Technol 19(2):105–120CrossRefGoogle Scholar
  23. 23.
    Rahman M, Oo AMT (2013) Smart meter. In: Ali ABMS (ed) Smart grids: opportunities, developments, and trends. Springer, London, pp 109–133.
  24. 24.
    Anderson R, Barton C, Böhme R, Clayton R, Michel JG Van E, Levi M, Moore T, Savage S (2013) Measuring the cost of cybercrime. In: The economics of information security and privacy. Springer, pp 265–300Google Scholar
  25. 25.
    Abraham DG, Dolan GM, Double GP, Stevens JV (1991) Transaction security system. IBM Syst J 30(2):206–229CrossRefGoogle Scholar
  26. 26.
    Liu X, Peidong Z, Yan Z, Kan C (2015) A collaborative intrusion detection mechanism against false data injection attack in advanced metering infrastructure. IEEE Trans Smart Grid 6(5):2435–2443CrossRefGoogle Scholar
  27. 27.
    Helfmeier C, Nedospasov D, Tarnovsky C, Krissler JS, Boit C, Seifert J-P (2013) Breaking and entering through the silicon. In: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, pp 733–744Google Scholar
  28. 28.
    Anderson R, Kuhn M (1998) Low cost attacks on tamper resistant devices. In: Security protocols. Springer, pp 125–136Google Scholar
  29. 29.
    Skorobogatov S (2005) Semi-invasive attacks: a new approach to hardware security analysis. PhD thesis, CiteseerGoogle Scholar
  30. 30.
    Tuyls P, Schrijen G-J, Škorić B, Van Geloven J, Verhaegh N, Wolters R (2006) Read-proof hardware from protective coatings. In: International workshop on cryptographic hardware and embedded systems. Springer, pp 369–383Google Scholar
  31. 31.
    Ma X, Yang DG, Zhang GQ (2012) Decapsulation methods for cu interconnection packages. In: 2012 13th international conference on Electronic packaging technology and high density packaging (ICEPT-HDP). IEEE, pp 1387–1391Google Scholar
  32. 32.
    t4f (2018) Ultra-low cost ic decapsulation [Online]:
  33. 33.
    Taylor C (2013) The Common Methods of Hardware Hacking. [Online]:
  34. 34.
    Labs MWR (2012) Hacking Embedded Devices: UARTConsoles. [Online]:
  35. 35.
    Grand J (2013) Jtagulator: assisted discovery of on-chip debug interfaces. In: 21St defcon conference, Las Vegas, pp 1–88Google Scholar
  36. 36.
  37. 37.
    Huang A (2013) Bunnie’s adventures hacking the Xbox). [Online]:
  38. 38.
    Breeuwsma M, De Jongh M, Klaver C, Van Der Knijff R, Roeloffs M (2007) Forensic data recovery from flash memory. Small Scale Digit Device Forensic J 1(1):1–17Google Scholar
  39. 39.
    Barenghi A, Breveglieri L, Koren I, Naccache D (2012) Fault injection attacks on cryptographic devices Theory, practice, and countermeasures. Proc IEEE 100(11):3056–3076CrossRefGoogle Scholar
  40. 40.
    Govindavajhala S, Appel A (2003) Using memory errors to attack a virtual machine. In: 2003. Proceedings. 2003 symposium on Security and privacy. IEEE, pp 154–165Google Scholar
  41. 41.
    Schmidt J. -M., Hutter M (2007) Optical and em fault-attacks on crt-based rsa: Concrete results. naGoogle Scholar
  42. 42.
    Schmidt J-M, Hutter M, Plos T (2009) Optical fault attacks on aes A threat in violet. In: 2009 workshop on Fault diagnosis and tolerance in cryptography (FDTC). IEEE, pp 13–22Google Scholar
  43. 43.
    Le T, Canovas C, Clédiere J (2008) An overview of side channel analysis attacks. In: Proceedings of the 2008 ACM symposium on Information, computer and communications security. ACM, pp 33–43Google Scholar
  44. 44.
    Kocher P, Jaffe J, Jun B (1999) Differential power analysis. In: Advances in cryptology-CRYPTO’99. Springer, pp 789–789Google Scholar
  45. 45.
    Grand J (2009) Hardware is the new software. presentation at Hack In The Box Security Conference (HITBSecConf)Google Scholar
  46. 46.
    Bunnie & Xobs (2013) The Exploration and Exploitation of an SD Memory Card. [Online]:
  47. 47.
    Kingpin K, Mudge M (2001) Security analysis of the palm operating system and its weaknesses against malicious code threats. In: Proceedings of the 10th conference on USENIX Security Symposium-Volume 10, pp 11Google Scholar
  48. 48.
    John A (2001) Vulnerability assessment of the transportation infrastructure relying on the global positioning system. Volpe National Transportation Systems Center, Technical ReportGoogle Scholar
  49. 49.
    Humphreys T, Ledvina B, Psiaki M, O’Hanlon B, Kintner PM (2008) Assessing the spoofing threat Development of a portable gps civilian spoofer. In: Radionavigation laboratory conference proceedingsGoogle Scholar
  50. 50.
    Humphreys T (2012) Statement on the vulnerability of civil unmanned aerial vehicles and other systems to civil GPS spoofing. University of Texas at AustinGoogle Scholar
  51. 51.
    Bhatti J, Humphreys T (2016) Hostile control of ships via false GPS signals: Demonstration and detection. NavigationGoogle Scholar
  52. 52.
    Schmidt D, Radke K, Camtepe S, Foo E, Ren M (2016) A survey and analysis of the gnss spoofing threat and countermeasures. ACM Comput Surv (CSUR) 48(4):64CrossRefGoogle Scholar
  53. 53.
    Jiang J-A, Yang J-Z, Lin Y-H, Liu C-W, Ma J-C (2000) An adaptive pmu based fault detection/location technique for transmission lines. i. theory and algorithms. IEEE Trans Power Deliv 15(2):486–493CrossRefGoogle Scholar
  54. 54.
    Jiang X, Zhang J, Harding B, Makela JJ, Domı AD (2013) Spoofing gps receiver clock offset of phasor measurement units. IEEE Trans Power Syst 28(3):3253–3262CrossRefGoogle Scholar
  55. 55.
    Zhang Z, Gong S, Dimitrovski A, Li H (2013) Time synchronization attack in smart grid impact and analysis. IEEE Trans Smart Grid 4(1):87–98CrossRefGoogle Scholar
  56. 56.
    Konstantinou C, Sazos M, Musleh A, Keliris A, Al-Durra A, Maniatakos M (2017) GPS spoofing effect on phase angle monitoring and control in a real-time digital simulator-based hardware-in-the-loop environment. IET Cyber-Phys Syst Theory Appl 2(4):180–187CrossRefGoogle Scholar
  57. 57.
    Loughry J, Umphress D (2002) Information leakage from optical emanations. ACM Trans Inf Syst Secur (TISSEC) 5(3):262–289CrossRefGoogle Scholar
  58. 58.
    Kuhn M (2002) Optical time-domain eavesdropping risks of crt displays. In: 2002. Proceedings. 2002 IEEE symposium on Security and privacy, pp 3–18Google Scholar
  59. 59.
    Konstantinou C, Sazos M, Maniatakos M (2016) Attacking the smart grid using public information. In: 2016 17th latin-american Test symposium (LATS). IEEE, pp 105–110Google Scholar
  60. 60.
    Subramanian V (2013) Proximity-based attacks in wireless sensor networks. PhD thesis, Georgia Institute of TechnologyGoogle Scholar
  61. 61.
    Galeyev B (1996) Special section: Leon theremin, pioneer of electronic art. Leonardo Music Journal, MIT, USAGoogle Scholar
  62. 62.
    Glinsky A (2000) Theremin: ether music and espionage. University of Illinois PressGoogle Scholar
  63. 63.
    Mo Y, Sinopoli B (2009) Secure control against replay attacks. In: 2009. Allerton 2009. 47th annual allerton conference on Communication, control, and computing. IEEE, pp 911–918Google Scholar
  64. 64.
    Pasqualetti F, Dörfler F, Bullo F (2011) Cyber-physical attacks in power networks models, fundamental limitations and monitor design. In: 2011 50th IEEE conference on Decision and control and european control conference (CDC-ECC). IEEE, pp 2195–2201Google Scholar
  65. 65.
    Pan S, Morris T, Adhikari U (2015) Developing a hybrid intrusion detection system using data mining for power systems. IEEE Trans Smart Grid 6(6):3104–3113CrossRefGoogle Scholar
  66. 66.
    Alcaraz C, Roman R, Najera P, Lopez J (2013) Security of industrial sensor network-based remote substations in the context of the internet of things. Ad Hoc Netw 11(3):1091–1104CrossRefGoogle Scholar
  67. 67.
    Zander S, Armitage G, Branch P (2007) A survey of covert channels and countermeasures in computer network protocols. IEEE Commun Surv Tutorials 9(3):44–57CrossRefGoogle Scholar
  68. 68.
    Cabuk S (2006) Network covert channels: design, analysis, detection, and elimination. Purdue UniversityGoogle Scholar
  69. 69.
    Moskowitz I, Kang M (1994) Covert channels-here to stay?. In: Reliability, fault tolerance, concurrency and real time security. Proceedings of the 9th Annual Conference on Computer Assurance-COMPASS’94 Safety. IEEE, pp 235–243Google Scholar
  70. 70.
    Parfomak P (2014) Physical security of the us power grid: high-voltage transformer substations. Congressional Research ServiceGoogle Scholar
  71. 71.
    Foreign Policy (2013) ‘Military-style’ Raid on California Power Station Spooks U.S.). [Online]:
  72. 72.
    ICS-CERT, U.S. DHS (2016) KACO HMI Hard-coded Password. [Online]:
  73. 73.
    ICS-CERT, U.S. DHS (2017) Moxa NPort Device Vulnerabilities. [Online]:
  74. 74.
    IEEE (2013) IEEE Standard for Test Access Port and Boundary-Scan Architecture. IEEE Std 1149.1-2013, (Revision of IEEE Std 1149.1-2001), pp 1–444Google Scholar
  75. 75.
    Breeuwsma M (2006) Forensic imaging of embedded systems using jtag (boundary-scan). Digit Investig 3 (1):32–42CrossRefGoogle Scholar
  76. 76.
    Russell R (2000) Hack proofing your network. SyngressGoogle Scholar
  77. 77.
    Grand J (2004) Understanding hardware security. Black Hat JapanGoogle Scholar
  78. 78.
    Caddy T (2011) Tamper Detection. Springer US, Boston, pp 1277–1277Google Scholar
  79. 79.
    Zaddach J, Costin A (2013) Embedded devices security and firmware reverse engineering. Black-Hat USAGoogle Scholar
  80. 80.
    Kocher P (1996) Timing attacks on implementations of diffie-hellman, rsa, dss, and other systems. In: Advances in cryptology-CRYPTO’96, pp 104–113Google Scholar
  81. 81.
    Sze S (1985) Physics and technology. Wiley, New YorkGoogle Scholar
  82. 82.
    Gjendemsjø M (2013) Creating a weapon of mass disruption: attacking programmable logic controllers Institutt for datateknikk og informasjonsvitenskapGoogle Scholar
  83. 83.
    North american electric reliability corporation (NERC) (2018) NERC-CIP Critical infrastructure protectionGoogle Scholar
  84. 84.
    North American Electric Reliability Corporation (NERC) (2012) Extended loss of GPS Impact on ReliabilityGoogle Scholar
  85. 85.
    Martínez E, Juárez N, Guzmán A, Zweigle G, León J Using synchronized phasor angle difference for wide-area protection and control. In: proceedings of the 33rd Annual Western Protective Relay Conference, Spokane, WAGoogle Scholar
  86. 86.
  87. 87.
    Konstantinou C, Sazos M, Maniatakos M (2019) FLEP-SGS2: A Flexible and Low-cost Evaluation Platform for Smart Grid Systems Security. In: 2019 IEEE PES Innovative smart grid technologies (ISGT). IEEE, pp 1–5Google Scholar
  88. 88.
    Brumley D, Boneh D (2005) Remote timing attacks are practical. Comput Netw 48(5):701–716CrossRefGoogle Scholar
  89. 89.
    Executive Office of the President of the U.S (2011) A Policy Framework for the 21st Century Grid: Enabling Our Secure Energy FutureGoogle Scholar
  90. 90.
    Swanson M (2001) Security self-assessment guide for information technology system, vol 800. US Department of Commerce, Computer Security Division, Information Technology, National Institute of Standards and TechnologyGoogle Scholar
  91. 91.
    United States Government Accountability Office (2011) GAO-11-117 Electric grid modernizationGoogle Scholar
  92. 92.
    MIT (2011) The Future of the Electric GridGoogle Scholar
  93. 93.
    ICS-CERT (2011) Cross-Sector Roadmap for Cybersecurity of Control SystemsGoogle Scholar
  94. 94.
    Abadi M, Mihai B, Ulfar E, Jay L (2005) Control-flow integrity. In: Proceedings of the 12th ACM conference on Computer and communications security, pp 340–353Google Scholar
  95. 95.
    Davi L, Dmitrienko A, Egele M, Fischer T, Holz T, Hund R, Nürnberger S, Sadeghi A-R (2012) Mocfi: A framework to mitigate control-flow attacks on smartphones. In: NDSS, vol 26, pp 27–40Google Scholar
  96. 96.
    Costan V, Devadas S (2016) Intel sgx explained. IACR Cryptol ePrint Arch 2016:86Google Scholar
  97. 97.
    Alves T, Felton D (2004) Trustzone: Integrated hardware and software security. ARM White Paper 3 (4):18–24Google Scholar
  98. 98.
    Zhang F, Zhang H (2016) Sok: A study of using hardware-assisted isolated execution environments for security. In: Proceedings of the Hardware and Architectural Support for Security and Privacy 2016. ACM, pp 3Google Scholar
  99. 99.
    Coreboot (2015) [Online]:
  100. 100.
    Seabios (2015) [Online]:
  101. 101.
  102. 102.
    Intel (2016) Intel AMT and the Intel ME. [Online]:
  103. 103.
    AMD (2013) AMD Secure Technology. [Online]:
  104. 104.
    Wang X, Konstantinou C, Maniatakos M, Karri R, Lee S, Robison P, Stergiou P, Kim S (2016) Malicious firmware detection with hardware performance counters. IEEE Trans Multi-Scale Comput Syst 2(3):160–173CrossRefGoogle Scholar
  105. 105.
    Patel N, Sasan A, Homayoun H (2017) Analyzing hardware based malware detectors. In: Proceedings of the 54th Annual Design Automation Conference 2017. ACM, pp 25Google Scholar
  106. 106.
    Vasiliadis G, Antonatos S, Polychronakis M, Markatos E, Ioannidis S (2008) Gnort: high performance network intrusion detection using graphics processors. In: International workshop on recent advances in intrusion detection. Springer, pp 116–134Google Scholar
  107. 107.
    Yoo R, Hughes C, Lai K, Rajwar R (2013) Performance evaluation of intel®; transactional synchronization extensions for high-performance computing. In: Proceedings of the International Conference on High Performance Computing, Networking, Storage and Analysis. ACM, pp 19Google Scholar
  108. 108.
    Konstantinou C, Chielle E, Maniatakos M (2018) Phylax: Snapshot-based profiling of real-time embedded devices via jtag interface. In: Design, automation & test in europe conference & exhibition (DATE), 2018. IEEE, pp 869–872Google Scholar
  109. 109.
    El Shobaki M (2002) On-chip monitoring of single-and multiprocessor hardware real-time operating systems. In: Proceedings of the 8th international conference on real-time computing systems and applications (RTCSA)Google Scholar
  110. 110.
    Weingart S (2000) Physical security devices for computer subsystems: a survey of attacks and defenses. In: International workshop on cryptographic hardware and embedded systems. Springer, pp 302–317Google Scholar
  111. 111.
    Osborn J, Challener D (2013) Trusted platform module evolution. Johns Hopkins APL Techn Dig 32 (2):536Google Scholar
  112. 112.
    Moore S, Anderson R, Mullins R, Taylor G, Fournier J (2003) Balanced self-checking asynchronous logic for smart card applications. Microprocess Microsyst 27(9):421–430CrossRefGoogle Scholar
  113. 113.
    Tiri K, Akmal M, Verbauwhede I (2002) A dynamic and differential cmos logic with signal independent power consumption to withstand differential power analysis on smart cards. In: 2002. ESSCIRC 2002. Proceedings of the 28th European Solid-State Circuits Conference. IEEE, pp 403–406Google Scholar
  114. 114.
    Stanojlović M, Petković P (2010) Strategies against side-channel-attack. In: Proceedings of the Small Systems Simulation Symposium, pp 86–89Google Scholar
  115. 115.
    Lee J, Tebranipoor M, Plusquellic J (2006) A low-cost solution for protecting ips against scan-based side-channel attacks. In: 2006. Proceedings. 24th IEEE VLSI Test symposium. IEEE, pp 6Google Scholar
  116. 116.
    Rajendran J, Sam M, Sinanoglu O, Karri R (2013) Security analysis of integrated circuit camouflaging. In: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, pp 709–720Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.FAMU-FSU College of Engineering, Center for Advanced Power SystemsFlorida State UniversityTallahasseeUSA
  2. 2.Center for Cyber SecurityNew York University Abu DhabiAbu DhabiUAE

Personalised recommendations