Despite reports earlier this year about spies penetrating the computers that help control America’s electrical grid, utility companies appear to be slow in clamping down on security, and that perception has led to a tongue-lashing from a House of Representatives committee.
U.S. Rep. Yvette Clarke (D, N.Y.) as accused the utilities of exploiting a loophole that allows them to avoid complying with Federal cybersecurity requirements.
Also, a security researcher’s revelations of flaws in the smart meters utilities are installing throughout the country added fuel to the fire.
Is the grid really as insecure as it seems?
The Security Issue
In April and June, news stories surfaced about foreign spies apparently hacking into the U.S. electrical grid. Reports that the North American Electric Reliability Corp. (NERC), an industry regulatory group, was negotiating with a defense contractor to search for breaches by cyberspies began making the rounds.
However, that may have been the tail end of a problem that is believed to be systemic to the modernization of the nation’s electricity infrastructure.
In March, application and smart grid security services provider IOActive announced it had verified significant security issues within multiple smart grid platforms.
Smart grids use digital technology to both deliver electricity and monitor equipment throughout the grid in order to make power delivery more efficient. They are being deployed by many utilities throughout the U.S.
“Research conducted throughout the industry has independently concluded these technologies are susceptible to common security vulnerabilities such as protocol tampering, buffer overflows, persistent and non-persistent rootkits and code propagation,” IOActive said.
That Darned Internet
These problems with smart grids emerged because the technology uses the Internet and, thus, depends on Internet protocol (IP). “The risks of IP networks were widely known in 1999, and there was even testimony to Congress that led to guidance by the administration in 2001,” Reed Henry, senior vice president of marketing at security and compliance management company ArcSight, told TechNewsWorld.
With a majority of control systems connected to networks, it’s imperative that utilities use centralized log management systems that can figure out when and where to respond to cybersecurity threats, he added.
Proven industry best practices, including independent third-party assessments, should be adopted in smart grid technologies implemented in America’s critical infrastructure, IOActive president and CEO Joshua Pennell told the Committee of Homeland Security and the Department of Homeland Security.
He also recommended that the smart grid industry follow a proven, formal security development life cycle like that laid out by Microsoft’s Trustworthy Computing Initiative.
Hammered in the House
News of the security flaws fired up the House Homeland Security Committee’s Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, which had spent three years studying the security of the electric utility industry.
Subcommittee Chairperson Clarke said the U.S. electric utility industry had failed to appropriately protect itself despite years of warnings, and that utilities are apparently avoiding self-regulatory efforts by not designating their facilities or equipment as critical assets that need special protection.
Utility industry representatives countered that they have been working hard to improve cybersecurity and complained that the government doesn’t share enough up-to-date information.
NERC, the utility industry body that governs utilities, declined comment on these issues.
No, No, Mon AMI
Then came news that IOActive senior security consultant Mike Davis planned to give a presentation on the security flaws of smart meters at the Black Hat conference in Las Vegas in late July.
He planned to speak about a worm developed by an IOActive team he led. This worm replicates itself throughout smart meters once it’s introduced into one meter.
The IOActive worm is a rootkit that apparently lets hackers assume full system control of all exposed AMI capabilities, including remote power on and off, usage reporting, and communication configurations.
Introducing the worm into a smart meter is not hard to do, Davis told TechNewsWorld. Just pluck a smart meter off the outside wall of a residence or building — they’re often connected to the structure by a simple zip tie — then reverse engineer the software, load your own firmware onto the meter and re-connect it to the structure.
“Once you infect a meter, it can infect others,” Davis said. A simulation engine he wrote showed that a neighborhood grid with 22,000 houses equipped with smart meters can get infected within 24 hours.
“Every new meter that’s infected will update two others wirelessly using their peer-to-peer networking feature,” Davis said. “Hackers have already been using AMI grids to send and receive data in Europe.”
AMIs, or Advanced Metering Infrastructures, are the grids built around smart meters.
It’s All About Money
If smart meters are so insecure, why are utilities planning to install them? Because they help route power more efficiently, thus cutting costs.
An initial order of 9,000 smart meters by the Los Angeles Department of Water and Power (LADWP) for its commercial and industrial customers in 2004 cut electricity consumption by at least five percent, according to Jackson, Miss.-based wireless smart meter provider SmartSynch, which won the contract. The LADWP, which is the largest municipal utility in the U.S., ordered another 6,000 smart meters in 2007.
Smart meters are big business, and that business is growing. In July 2006, California’s energy regulators approved a program to replace ordinary electric meters in 9 million Northern California households served by PG&E with smart meters.
Davis’ revelations stirred up the industry.
“Everybody’s mad at me,” he said. “But some utilities are rolling AMIs out at the rate of 8,000 a day, and we’re trying to catch the problem before it becomes bigger.”
Of Self-Regulation and Loopholes
Still, the problem may not be out of hand yet. The utility grid may have security flaws, but every system we rely upon has its vulnerabilities, ArcSight’s Henry pointed out. The real question is not whether there are vulnerabilities, but whether the utilities are able to detect threats and attacks and respond to them, he said.
“Based on their business model and past experience, we expect the utilities to be actively monitoring for attacks and responding very quickly,” Henry said.
NERC is revising its standards to widen the assets that must be monitored, and Henry expects this new standard to be ratified by September.
Even the question of whether or not utilities are really exploiting a regulatory loophole has yet to be decided.
NERC’s guidelines let utilities determine for themselves whether or not they need to declare their equipment and facilities as critical assets.
While the utilities’ interpretation of the regulations might differ from Clarke’s, Henry said, that doesn’t mean either side is wrong. “The standards are new, so interpretations are bound to be different for at least the next several months,” he explained.
What About Google and Microsoft?
In light of the dangers of IP, are the related free, Web-based services offered by Google and Microsoft safe?
Earlier this year, Google launched PowerMeter, an application that shows consumers their utility consumption in a secure Google widget on their personal iGoogle home page. This was rolled out in limited beta to utility partners in the U.S., Canada and India, and Google will expand the rollout later this year.
In June, Microsoft rolled out a beta of Hohm, an online application that provides consumers with personalized energy-saving recommendations. Hohm uses advanced analytics licensed from the Lawrence Berkeley National Laboratory and the U.S. Department of Energy.
While Hohm uses information supplied by consumers in a form on its Web site, PowerMeter seeks to tap information from utilities’ meters. Both companies told TechNewsWorld that their technologies are secure.
“Security was a fundamental design requirement in Hohm,” said Troy Batterberry, product unit manager for Microsoft Hohm. “The Hohm data feeds employ industry standard and proven mechanisms such as HTTPS, certificate-based authentication, XML formats and Web Services to securely exchange data.”
Communication between utilities and Google is secure under prevailing industry standards, Google PowerMeter Product Manager Srikanth Rajagopalan said. “It is the utility that initiates all uploads of information to Google PowerMeter, so integrating PowerMeter doesn’t involve exposing information to a new Internet service.”
PowerMeter and Hohm do not inherently weaken the electricity grid’s security, ArcSight’s Henry said. “Hackers will always find ways to penetrate systems, so the issues are actually around whether industry and government can agree on a standard of security,” he explained.
Is the Threat Real?
Stories about security weaknesses always garner headlines, and ArcSight’s Henry believes that’s a large factor behind the fanfare about cybersecurity in the electric utilities industry.
That fanfare isn’t just there for the sake of boosting an individual security researcher’s professional stature, though; it also puts the spotlight on a weakness that could be exploited in the future if left unattended, even if it’s not necessarily being exploited now.
“Mike Davies is clearly trying to ensure that utilities are aware of some vulnerabilities he has found so they will address them,” Henry said. “This is not the same as saying utilities are planning to install insecure meters.”