Report: Security Holes Could Wreak Havoc in Proposed Smart Grid
Mar 23, 2009 11:55 AM PT
It is supposed to revolutionize the way electricity is delivered and managed. It has US$4.5 billion targeted for it in the Obama economic stimulus package. However, the so-called "smart grid," as it is being developed today, won't be able to outsmart hackers looking to damage the U.S.'s utility infrastructure, according to a Seattle-based security firm.
IOActive issued a report Monday claiming that technologies now being rolled out in several cities throughout the country "are susceptible to common security vulnerabilities such as protocol tampering, buffer overflows, persistent and non-persistent rootkits, and code propagation," the company said. "These vulnerabilities could result in attacks to the Smart Grid platform, causing utilities to lose momentary system control of their Advanced Metering Infrastructure (AMI) Smart Meter devices to unauthorized third parties. This would expose utility companies to possible fraud, extortion attempts, lawsuits or widespread system interruption."
The purpose of the study is to make sure security strengths are "baked into" the smart grid technologies before deployment, IOActive's president and CEO Josh Pennell said. That's not happening at the moment, he told TechNewsWorld.
"The smart grid represents a lot of great things: a lot of jobs, upgrading of the nation's infrastructure, which is currently running about 1960s technologies, and bringing it up to speed to the 21st-and-a-half century," Pennell said. "But we're not taking the lessons learned in the computer industry at large. We really need to study security specifications and bring them up to date for the digital age."
A spokesperson for the group that speaks for approximately 70 percent of the electric utility industry -- the investor-owned segment -- agrees with Pennell. "Security has to be built into the system for it to work and for it to be reliable," Ed Legge with the Edison Electric Institute told TechNewsWorld. "It's not like this is something that isn't on our radar. Our security guys spend all their time worrying about this."
That's because the promise of a smart electric grid -- something New York Times columnist Thomas Friedman mentions in his bestselling book "Hot, Flat and Crowded" -- necessitates a near-foolproof system that has the confidence of the government, the private sector and the consumers who will ultimately be paying for it. Imagine a two-way, fully-automated network of electricity transmission that knows when demand is up and down, and how to make that work in a cost-effective manner for utilities and homes. Consumers could set preferences based on needs and time spent in the home; smart appliances plugged into the grid could know when to turn themselves on and off based on peak usage hours; electric cars hooked up to the grid could give back unused power.
Such a system mandates the best in security, Legge said. "We went through this with Y2K. Our industry spent billions to scrub everything then. That doesn't mean you don't have to keep scrubbing. Every time you have some kind of new computerization, there's that element and it has to be addressed."
The fact that the industry is at the dawn of the smart grid era is an advantage, Legge said. "We're an industry that doesn't have the luxury of bringing out a new product every year and having that as a business model. We have to build for distance. Everything we put in will need to be upgradeable as technology improves. It's coming from customer money, and as we go along, we're going to have to build in the ability to protect it."
Congress laid the foundation for more security accountability with the Energy Policy Act of 2005, which came two years after a major power outage hit the U.S. East Coast and Midwest, Legge said. The act included new cybersecurity initiatives along with more regulation by the Federal Energy Regulatory Commission and more industry responsibilities to the National Institutes for Standards and Technologies. "Homeland Security is also all over this, and we have security committees" within the EEI, he added.
Puget Sound Energy -- the state of Washington's largest utility -- is exploring the smart grid market from the standpoint of customer benefits, spokesperson Andy Wappler said. "But at this point, specific concerns like security are hard to address, simply because the overall market is still something that's really being defined," Wappler told TechNewsWorld.
PSE, like a lot of other utilities, has been dealing with security issues regarding customer data since it went to automated meters in the late 1990s. It's still a one-way technology, but wireless data collection made at-home meter-reading visits obsolete while necessitating a new focus on security. "That has to be a secure network," Wappler said. "Once we have more customer data here (at utility headquarters) then how do we protect that, and how do we allow customers access through our Web portal to see more of their data? When we do that we need to be more secure and respect people's privacy. Some of these issues become more complicated as you get closer to a true smart grid."
Also complicating matters is the nature of the security flaws in the proposed system, IOActive's Pennell said. That's why he says his company will not release the actual findings. But he has briefed government officials. "I'm not at liberty to go into that conversation," he said. "But they were people that are tasked with needing to know the more intimate details.
"Before smart technologies are adopted widely, they really need to go through a proper vetting from a security standpoint. That's what's going to get people's attention. This is not an unknown issue, and people are already trying to get their heads wrapped around it," Pennell said.