The wonder of the Internet – its ability to provide both instant and constant access to data – is merging with our electricity meters and with the appliances inside our homes as the vision of the new, improved, smart grid comes into focus. But, just as with the dawn of the Internet, the smart meter – a key component of the smart grid – might usher in a whole host of privacy problems and data land mines.
That’s the finding of Joshua Pennell and Michael Davis, president and senior security consultant, respectively, for computer security firm IOActive. The pair have published an article in energy industry publication Energy Pulse describing their findings on the security protections – or lack thereof – being built into smart meters (also known as advanced metering infrastructure, AMI meters).
They claim that IOActive researchers have been able to hack into smart meters and found that they could manipulate them in a number of ways that are representative of major weaknesses in hardware design. “Vulnerabilities in the smart grid could cause utilities to lose system control of their metering infrastructure to unauthorized third parties, exposing them to fraud, extortion attempts, lawsuits, widespread system interruption, massive blackouts or worse,” they note in the article.
And in an article published in the IT security website The Register, Davis says that he plans to demonstrate his firm’s findings at the Black Hat security conference in Las Vegas next month. As part of his demonstration, he’ll show a software worm that he and his colleagues programmed to propagate across a number smart meters (he has not revealed the maker of the smart meter he’ll demonstrate). According to The Register: “Once infected, the device is under the control of the malware developers in much the way infected PCs are under the spell of bot herders. Attackers can then send instructions that cause its software to turn power on or off and reveal power usage or sensitive system configuration settings.”
Smart meter technology has been under development for many years and it represents a tremendous opportunity to better manage natural resources and control energy costs. Smart meters allow two-way communication between the utility provider and the end user, which enables systems such as demand response programs that allow consumers to decide when and how to consume energy based on current demand and cost, per kilowatt hour.
But as we noted back in March, the smart meters have a lot of maturing to do – both in terms of standards and data security – before they’ll really be ready for prime time.
As The Register piece notes, in their enthusiasm to capture some of the $4.5 billion that the stimulus bill has appropriated for building out the smart grid, utilities may be more willing to skip the due diligence they should be doing before buying and distributing smart meters to their customers. Davis says that while utilities used to ask his firm to perform “penetration tests” on smart meters, they’ve not been doing so since the stimulus bill passed.
Fortunately, IOActive isn’t the first party to raise red flags about smart meter data security and isn’t the only party calling for security standards. A number of energy industry groups are already doing so and the Department of Energy, working with the National Institute of Standards and Technology (NIST), is integrating security protocols into smart grid standards. Congress is considering a number of bills, including the Critical Electric Infrastructure Protection Act (CEIPA), aimed at bolstering the grid against cyber-attacks.
Still, it seems like demonstrations that expose potential vulnerabilities – even when they happen within the regular insular group of hackers that attend Black Hat conferences – are important. Everyone wants a modernized, more responsive utility grid. But since these meters are meant to last for a decade or more, making them secure from the get-go is a vital step in the evolution of the smart grid.