Security researchers say that new “smart” meters, which are part of
the envisioned Smart Grid and which are designed to help deliver
electricity more efficiently, also have flaws that could let hackers
tamper with the power grid in previously impossible ways (see
“Utilities to Bolster Smart Grid Cybersecurity,” 8 February 2010 HSNW;
and “How Vulnerable is the Smart Grid?” 3 December 2009 HSNW).
The AP reports that at the very least, the vulnerabilities open the
door for attackers to jack up strangers’ power bills. These flaws also
could get hackers a key step closer to exploiting one of the most
dangerous capabilities of the new technology, which is the ability
remotely to turn someone else’s power on and off.
The attacks could be pulled off by stealing meters — which can be
situated outside of a home — and reprogramming them. An attacker could
also sit near a home or business and wirelessly hack the meter from a
laptop, according to Joshua Wright, a senior security analyst with
InGuardians Inc. The Washington, D.C.-based firm was hired by three
utilities to study their smart meters’ resistance to attack.
These utilities, which he would not name, have already done small
deployments of smart meters and plan to roll the technology out to
hundreds of thousands of power customers, Wright told the AP.
There is no evidence the security flaws have been exploited, although
Wright said a utility could have been hacked without knowing it.
InGuardians said it is working with the utilities to fix the problems.
Power companies are aggressively rolling out the new meters. In the
United States alone, more than eight million smart meters have been
deployed by electric utilities and nearly sixty million should be in
place by 2020, according to a list of publicly announced projects kept
by the Washington, D.C.-based Edison Foundation, an organization
focused on the electric industry.
AP notes that unlike traditional electric meters that merely record
power use — and then must be read in person once a month by a meter
reader — smart meters measure consumption in real time. By being
networked to computers in electric utilities, the new meters can
signal people or their appliances to take certain actions, such as
reducing power usage when electricity prices spike.
This very interactivity is what makes smart meters so attractive, but
it also makes them vulnerable to hackers, because each meter
essentially is a computer connected to a vast network.
There are few public studies on the meters’ resistance to attack, in
part because the technology is new. Last summer, Mike Davis, a
researcher from Seattle, Washington-based IOActive Inc., showed how a
computer worm could hop between meters in a power grid with smart
meters, giving criminals control over those meters.
Alan Paller, director of research for the Bethesda, Maryland-based
SANS Institute, a security research and training organization that was
not involved in Wright’s work with InGuardians, said it proved that
hacking smart meters is a serious concern. “We weren’t sure it was
possible,” Paller said. “He actually verified it’s possible. … If the
Department of Energy is going to make sure the meters are safe, then
Josh’s work is really important.”
Industry representatives say utilities are doing rigorous security
testing that will make new power grids more secure than the U.S.
current patchwork system — a system which is already under hacking
attacks from adversaries believed to be working overseas. “We know
that automation will bring new vulnerabilities, and our task — which
we tackle on a daily basis — is making sure the system is secure,”
said Ed Legge, spokesman for Edison Electric Institute, a trade
organization for shareholder-owned electric companies.
Many security researchers say the technology is being deployed without
enough security probing. Wright said his firm found “egregious”
errors, such as flaws in the meters and the technologies that
utilities use to manage data from meters. “Even though these protocols
were designed recently, they exhibit security failures we’ve known
about for the past 10 years,” Wright said.
He said InGuardians found vulnerabilities in products from all five of
the meter makers the firm studied. He would not disclose those
manufacturers.
One of the most alarming findings involved a weakness in a
communications standard used by the new meters to talk to utilities’
computers (see “NIST Request for Input on Smart Grid Interface,” 25
February 2010 HSNW). Wright found that hackers could exploit the
weakness to break into meters remotely, which would be a key step for
shutting down someone’s power. Someone could also impersonate meters
to the power company, to inflate victims’ bills or lower his own. A
criminal could even sneak into the utilities’ computer networks to
steal data or stage bigger attacks on the grid.
Wright said similar vulnerabilities used to be common in wireless
Internet networking equipment, but have vanished with an emphasis on
better security. For instance, the meters encrypt their data —
scrambling the information to hide it from outsiders. The digital
“keys” needed to unlock the encryption, however, were stored on data-
routing equipment known as access points that many meters relay data
to. Stealing the keys lets an attacker eavesdrop on all communication
between meters and that access point, so the keys instead should be
kept on computers deep inside the utilities’ networks, where they
would be safer. “That lesson seems to be lost on these meter vendors,”
Wright told AP. That speaks to the “relative immaturity” of the meter
technology, he added.