Security researchers offer caution on smart grids

(AP) -- The race to build a "smarter" electrical grid could have a dark side. Security experts are starting to show the dangers of equipping homes and businesses with new meters that enable two-way communication with utilities.

There are many benefits to upgrading the nation's electricity networks, which is why a smart-grid movement was already revving up before the recent economic recovery package included $4.5 billion for the technology. Smarter grids could help conserve energy by giving utilities more control over and insight into how power flows.

But presentations at the and DefCon security conferences here this week highlighted potential problems with moving too fast.

The risks are similar to what happens when computers are linked over the Internet. By exploiting weaknesses in the way computers talk to each other, hackers can seize control of innocent people's machines.

In the case of the , better communication between utilities and the meters at individual homes and businesses raises the possibility that someone could control the power supply for a single building, an entire neighborhood, or worse.

In one of the talks here, Mike Davis, a senior security consultant with Seattle-based IOActive Inc., demonstrated how a computer worm could hop between the meters at homes and businesses in a smart grid network. The worm could give miscreants remote control of the meters, which would let them take advantage of a utility's ability to, for example, disconnect someone's power for not paying his bill.

The key was found in devices made by only one manufacturer, a company that Davis did not name. But he said the worm could have spread to other manufacturers' products that used the same communications technologies and can be used to remotely disconnect people's power.

To get the computer worm going, a hacker might have to get physical access to one of the meters in order to program it with malicious code. That could start a chain reaction in which the worm spreads meter to meter over the grid's communication network. This hack might also be done remotely, Davis said, if the traffic on the network isn't encrypted, which means it's not cloaked in special computer coding so outsiders can't read it.

Davis compared the security of the nascent smart grids to the early days of the personal computer.

"Every time we redesign a new technology like this, we're doomed to relive the '80s and '90s all over again and the same vulnerabilities," he said.

Davis says he supports the smart-grid movement, but is troubled that smart meters are being deployed with remote-disconnect capabilities. Without that, "there's no real danger," he said.

The more benign uses of smart meters are why they're so hot. They help utilities distribute power more efficiently, and they could help consumers lower their bills by giving them more flexibility in how their homes use power. For instance, people could set appliances in their homes to scale down power consumption in peak times, when electricity is more expensive.

More than 50 million smart meters are expected to be deployed by U.S. electric utilities by 2015, according to a list of publicly announced projects kept by The Edison Foundation. More than 8 million have already been deployed.

Davis' research was commissioned by an unidentified utility. Other security researchers said it's uncommon for utilities to open their doors for outside hackers to test their technologies, which means Davis' research provides a rare public view of some of the problems that can crop up in smart grid rollouts.

Ed Legge, spokesman for Edison Electric Institute, a trade organization for shareholder-owned electric companies, said utilities are already doing similar security testing that isn't made public.

"We have the ultimate vested interest in securing our systems - if they stop working, or if they are brought down in any way, we can't run our businesses, and we lose money," he said. "We can't make this car without a seat belt. We have to be deliberate about this."

Some people in the industry argue that a more connected grid could be even safer than the aging and patchwork energy-distribution system we have now, because with new technology, security can be baked in from the start.

That argument rings hollow to some security researchers. They point out that the grid is already under attack, and that smart meters can create even more openings.

Spies have broken into parts of the U.S. electric grid and left behind programs that would allow them to disrupt service, government officials revealed this spring. The intrusions were discovered only after some electric companies opened their doors to audits. The full scope of the attacks is unknown, though, because the government doesn't have blanket authority to examine other electric systems.

Tony Flick, a principal with the Tampa, Fla.-based Fyrm Associates Inc., who spoke in Las Vegas on the regulations surrounding smart-grid security, says the system suffers from some of the same problems as the credit card industry, which lets many retailers self-certify that they're following the rules designed to prevent data breaches.

"In smart grids, utility companies are largely self-policing" their , Flick said. "There's this gold rush to basically grab some of that money to get it out there, but when you rush things to market you're more likely to make mistakes."

©2009 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

Explore further

Smart Grid Technology: Vulnerable To Hackers

Citation: Security researchers offer caution on smart grids (2009, July 31) retrieved 18 July 2019 from
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Feedback to editors

User comments

Aug 01, 2009
Wouldn't it be safer to just have the grid work on a network that was entirely separate from the normal grid? One monitored at all times by the people running this smart grid? It would run, work, and function independent of the regular networks, and the there would have to be multiple layers of security for it to work. The only way I can see this working is if the entire system is kept separate and running at the same time. Completely independent, hot (requiring keys, passwords, and other security) to access, and kept entirely separate from the hacking community... Unless they like having the energy grid hacked :P

Aug 01, 2009
Zevkirsh, there's only a few percent of waste to squeeze out of the electrical grid.

The smart grid is a necessary but far from sufficient feature of a grid powered by a myriad of fickle streams of wind and solar energy. Nothing else benefits significantly from it.

There is nothing particularly smart about the smart grid. Its main feature is the ability to charge you exhorbitant rates to get you to curtail the use of washers, driers etc. when it is inconvenient for the grid. Failing that the grid has the ability to shut of your "smart" air conditioner or other non-essential high power device to protect itself from rolling black-outs or brown-outs.

The storage component for a "renewable" energy powered grid is another necessary component; neither batteries, hydrogen, flywheels, pumped storage or CAES can do it for less than hundreds of trillions of dollars; far costlier than the solar cells and wind turbines it is designed to support.

Mind you, this is intentional; this is exactly what the fossil fuel industry, particularly natural gas and coal, want. If they can't sell you the smart grid kool-aid they won't get to sell you as much natural gas and the coal industry is afraid you might do the cheap, safe and obvious solution, which is nuclear energy. There's a reason Enron was the biggest player in the wind industry and a huge proponent of cap and trade; they wanted to sell lots of natural gas and create lots of phony carbon credits with creative accounting.

Aug 01, 2009
Look, I work as a summer technology intern for a power company that's beginning to employ the smart grid technology, and I can tell you from first-hand experience that Zevkirsh doesn't know what he's talking about.

We're upgrading our system piecemeal; that is, not all smart tech is set to hit the grid at once. It'll take a long time (we're predicting a decade at least) before our entire sytem is up-to-date, but that also creates for huge problems. Almost all of the computers we have in the office are only defended from intrusion with Symantec or the Windows default firewall. Furthermore, most of these computers can be linked to our SCADA system (Supervisory Control And Data Acquisition) which can control individual substations. From the main office, it's possible to use SCADA to shut down entire substations and circuits remotely. This, however, doesn't yet account for the smart meters we'll be installing in homes throughout our system. If someone develops some malicious code to enable control over other meters, he can simply use his own meter as an ingress point to the system--the optical connectors we use to 'read' meters can be bought online.

To make a long comment short, the idea of the smart grid is nice, viz. improving our energy efficiency to reduce dependency on foreign oil, like Zevkirsh said. However, whenever you centralize things (create the smart grid), the vulnerability of this system increases drastically. Even though the current system may be more inefficient, at least you have to physically manipulate the components (GOABs, reclosers, open the high-side fuses in the substations themselves) in order to wreak any havoc.

We have to be extremely careful about how we proceed further with this project.

Aug 03, 2009
It's important to anticipate problems and then design to prevent them. I would note that there is already a great deal of computerized control of the grid now, albeit not at the individual home or business scale.

One problem I am encountering already is the confusion of the term 'smart grid' with smart meters at individual homes and businesses. The broader, and wiser, concept of smart grid includes: 1) self-healing (transmission failures are automatically repaired before we have massive blackouts), 2) interconnectivity (redundancy in power sources so that alternate circuits can be applied), 3) insularity (a failure in one place won't cascade to another), 4) full communication between nodes at all system levels (the one we are discussing here), and 5) the facilitation of efficient, long distance bulk transfers of renewable energies (specialized High Voltage Direct Current networks to transfer renewable energy between regions).

A smart grid that includes these elements will be a lot more secure and stable than what we have now.

Aug 05, 2009
Removing the manual control is going to save a great deal of money in the long term, but it may replace electrical engineers with computer network security specialists for quite some time to come in the short term - and so it should.

Perhaps the transition requires maintaining both systems for a period of testing and rigourous financially-rewarded hack testing - yes, full scale public participation hack attacks with financial rewards for the winning participants.

It was co-incidental that New York lost power at the same time that a new vulnerability on major server operating systems was 'discovered' a few years ago.

Wasn't it? I don't know.

Lets make the next coincidence quite intentional, and learn that not all hackers are bad guys.

Most just want to show that they can do 'what is possible to do' and live off the rewards, (respect, income). Better to throw wide open the barn doors to all the good-natured 'amateurs' you can find, than to leave a tiny, yet discoverable, door open to a real malicious 'expert'.

If the vulnerabilities detected cannot be plugged up after several iterations of the challenge, then let's consider making the 'smart grid' human-integrated, (semi-automated) and maintain the electrical engineers who make mistakes occassionally, but whom have kept us all going until now.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more