Without some thought given to security as Advanced Metering Infrastructure (AMI) Smart Meter devices are developed and deployed, we risk repeating the same dumb mistakes that leave networked computers open to attack.
There are currently around 40 million smart meters in use worldwide, about 2 million of which are in the United States, with an additional 100 million planned around the globe over the next few years. The Obama administration's recovery plan calls for 40 million smart meters to be deployed in the United States over the next three years.
The devices make energy monitoring data available online to home users and utilities in real time, enabling a variety of new scenarios for saving and selling energy. For example, home owners using smart meters could, through a properly equipped utility, collect solar energy and sell any excess to their power company.
But security researchers warn that the devices could be used to conduct attacks on the power grid and on people's homes if they're developed without sufficient security. That could mean blackout attacks, data theft, and billing fraud.
"We will be engineering major vulnerabilities into the power grid if the vendors of meters do not bake security in -- and they won't do that unless the government folks responsible for allocating money make 'provable defense against known and reasonably expected attacks' a prerequisite for funding," said Alan Paller, director of research at the SANS Institute, in an e-mail.
IOActive president and CEO Joshua Pennell spent some time last week trying to deliver that message to the Committee of Homeland Security and the Department of Homeland Security.
Testifying before the committee, he said, "Based on our research and the ability to easily introduce serious threats, IOActive believes that the relative security immaturity of the smart grid and AMI markets warrants the adoption of proven industry best practices including the requirement of independent third-party security assessments of all smart grid technologies that are being proposed for deployment in the nation’s critical infrastructure."
Last year, a CIA analyst confirmed that "cyberattacks have been used to disrupt power equipment in several regions outside the United States." Fortunately, such attacks aren't easy to execute because not that many cybercriminals understand the SCADA (supervisory control And data acquisition) systems that have traditionally controlled energy industry infrastructure.
But Pennell believes the tradition to smart grid devices will change that. "One thing that is different is the barrier to entry," he said in a phone interview. "SCADA systems require an investment in time on the part of the attacker. Smart grids will be more accessible. The likelihood of attack on these systems, I think, is a little higher than it would be on a standard, big iron-style SCADA system."
Security researcher Ed Skoudis, co-founder of InGuardians, believes the threat is real. Access points to the smart grid will be outside of everyone's home and business and the smart grid devices will be widely available for cybercriminals to analyze, he explained.
Pennell said that now is the right time for the government and the energy industry to be having a conversation about security. He added that smart grid companies should adopt Microsoft's Security Development Lifecycle practices as they develop and deploy new energy metering technology.
Skoudis would like to see vendors be more open with the security community and support the work of independent penetration testers. "Right now, we're headed for a completely closed system and that's not good from a security perspective," he said.
InformationWeek is conducting a survey on data loss prevention. Find out more here, and take part through March 25.