Networking

06:20 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Smart Grid Lacks Smart Security

Devices could be used to conduct attacks on the power grid and on people's homes if they're developed without sufficient security, security researchers warn.

Smart grid technology, which aims to make the nation's power grid more efficient and interactive, may not be the bright idea its backers suggest unless it can be made more secure.

Without some thought given to security as Advanced Metering Infrastructure (AMI) Smart Meter devices are developed and deployed, we risk repeating the same dumb mistakes that leave networked computers open to attack.

There are currently around 40 million smart meters in use worldwide, about 2 million of which are in the United States, with an additional 100 million planned around the globe over the next few years. The Obama administration's recovery plan calls for 40 million smart meters to be deployed in the United States over the next three years.

The devices make energy monitoring data available online to home users and utilities in real time, enabling a variety of new scenarios for saving and selling energy. For example, home owners using smart meters could, through a properly equipped utility, collect solar energy and sell any excess to their power company.

But security researchers warn that the devices could be used to conduct attacks on the power grid and on people's homes if they're developed without sufficient security. That could mean blackout attacks, data theft, and billing fraud.

"We will be engineering major vulnerabilities into the power grid if the vendors of meters do not bake security in -- and they won't do that unless the government folks responsible for allocating money make 'provable defense against known and reasonably expected attacks' a prerequisite for funding," said Alan Paller, director of research at the SANS Institute, in an e-mail.

IOActive president and CEO Joshua Pennell spent some time last week trying to deliver that message to the Committee of Homeland Security and the Department of Homeland Security.

Testifying before the committee, he said, "Based on our research and the ability to easily introduce serious threats, IOActive believes that the relative security immaturity of the smart grid and AMI markets warrants the adoption of proven industry best practices including the requirement of independent third-party security assessments of all smart grid technologies that are being proposed for deployment in the nation’s critical infrastructure."

Last year, a CIA analyst confirmed that "cyberattacks have been used to disrupt power equipment in several regions outside the United States." Fortunately, such attacks aren't easy to execute because not that many cybercriminals understand the SCADA (supervisory control And data acquisition) systems that have traditionally controlled energy industry infrastructure.

But Pennell believes the tradition to smart grid devices will change that. "One thing that is different is the barrier to entry," he said in a phone interview. "SCADA systems require an investment in time on the part of the attacker. Smart grids will be more accessible. The likelihood of attack on these systems, I think, is a little higher than it would be on a standard, big iron-style SCADA system."

Security researcher Ed Skoudis, co-founder of InGuardians, believes the threat is real. Access points to the smart grid will be outside of everyone's home and business and the smart grid devices will be widely available for cybercriminals to analyze, he explained.

Pennell said that now is the right time for the government and the energy industry to be having a conversation about security. He added that smart grid companies should adopt Microsoft's Security Development Lifecycle practices as they develop and deploy new energy metering technology.

Skoudis would like to see vendors be more open with the security community and support the work of independent penetration testers. "Right now, we're headed for a completely closed system and that's not good from a security perspective," he said.


InformationWeek is conducting a survey on data loss prevention. Find out more here, and take part through March 25.

Comment  | 
Print  | 
More Insights
Slideshows
Cartoon
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Video
Twitter Feed