Blog: ICS, IIoT, SCADA

Bluetooth + Electrical switchgear

Ken Munro 21 Apr 2018

Bluetooth control is starting to emerge as a safety-related option for some high-voltage electricity transmission equipment. It’s a wise move for safety, as it means that engineers can operate switchgear from a distance, dramatically reducing the chance of injuries from flashover.

This is a rare incident, but can be deadly <find a better / free image>

Several of my colleagues worked previously in security for transmission equipment, as part of their roles in industrial control security. Sadly, security doesn’t seem to have been taken as seriously as the safety case, which could actually make safety worse.

Pole mounted transformers are a common point for power cuts to be initiated from. Protection mechanisms will trip the transformer, cutting power in the event of an overload or short circuit. In many cases, an auto-recloser will try to reset the transformer after a few seconds, which is why you’ll often see the power restored shortly after a cut.

<is there a pulse sent down the wire?>

However, if the recloser fails to restore power, there’s usually a deeper issue to investigate. That’s when an engineer may be sent to troubleshoot.

More recent pole mounted transformers and/or switchgear will have a control cabinet, from which parameters can be read and controls operated. For security reasons these are often mounted up the pole itself. Climbing poles towards high voltage cables bring risk to the engineer, even if the power has tripped!

<pic like this>

Those controls can be physical boards with breakers and buttons, though increasingly there will be a serial connection from which a diagnostics device can be attached. Yet, the engineer still has to climb the pole.

That’s why Bluetooth is starting to emerge as an interface from which engineers can diagnose issues and reclose the trips from the ground.

We started looking at some tenders issued by power transmission companies and also some of the datasheets and manuals for new Bluetooth switchgear, looking for security controls. The results were not good!

First, vendors

The first device we discovered used Bluetooth Classic / BT-EDR and had a static pairing PIN. It was ‘0’, as per the manual:

There wasn’t even a method we could find to change it, nor was there a process for putting it in to a pairing mode. It was always pair-able.

Why is this a problem? That means in theory that any nearby Bluetooth device could be connected to it. That would give one a serial connection to the device. Here’s an example of what one could do:

Auto recloser CLOSE/OPEN

Adjust protection sequence for Live Line working: instantaneous trip without reclose

So a malicious local actor could cause power cuts, or perhaps re-enable power whilst the line was being worked on.

Cellular comms are another matter, but we’re increasingly seeing SIM cards and cellular modems in real time units (RTUs) and other ICS equipment, particularly power transmission equipment:

Second, power transmission companies

“If you don’t ask, you don’t get” is the order of the day here. We reviewed several relatively recent tenders for provision of remote control systems for pole mounted switchgear that we found online.

Whilst all of these detailed requirements for remote access to the switchgear for safety reasons, either through cellular data or Bluetooth, not a single one had any reference to security.

Don’t get me wrong; many power companies are ‘all over’ security, but clearly not all are as mature.

Recommendations

Bluetooth security can be achieved, even in complex field based operations with multiple engineers and multiple devices to interface with the switchgear.

Even something as simple as a pre-shared key would make a difference here; whilst not ideal it certainly makes attacks harder. One would need to steal a device or otherwise recover the key.

Bluetooth Low Energy / BLE offers several options for security, from a simple ‘just connect’ with no security, through to a short term ‘pairing’ or a long term ‘bond’ with cryptographic key exchange.

Conclusion

Remote control of switchgear is undoubtedly a big plus for safety, efficiency and quick restoration of power. Indeed, proactive fault prediction will also help with uninterrupted power supply.

However, without security it actually could decrease safety in some circumstances and could affect power supply too.

Bluetooth is one option, however it’s important that cellular security is also addressed if used. There’s more on that here: https://www.pentestpartners.com/security-blog/how-to-crack-private-apn-keys-with-hashcat/