Experts Hack Smart Meters

I've written quite extensively on the growing debate over smart electricity meters and the potential threat they pose to privacy (if we don't take the proper precautions). Public Utilities Commission's (PUC) across the country are currently considering how to implement such a grid, and in response to a rulemaking by the CPUC, and the lack of attention being paid to the concerns of privacy advocates to date on this issue, the Consumer Federation of California (CFC) recently joined The Utilities Reform Network (TURN) in urging the Commission to allow for a more comprehensive review and debate regarding such concerns.

As I have written too, the CPUC has agreed to hold separate privacy specific hearings - with accompanying workshops and public comments.

Today I want to focus on an article in today's North County Times that highlights some of the "security" concerns I have been bringing attention to here.

As I wrote in an editorial on the subject in the California Progress Report a few months back,:

"The paradox of a smart grid system is that what will ostensibly make it an effective tool in reducing energy usage and improving our electric grid - information - is precisely what makes it a threat to privacy: Information (ours). It is this paradox that has led some to suggest that privacy might even be the “Achilles’ heel” of the “Smart Grid”. What are the unintended consequences of such a system?

Personal privacy issues routinely arise when data collected is harmless in isolation, but becomes a threat when combined with other data, or examined by a third party for patterns. A few principles we should keep in mind as we develop a regulatory framework for such a transition will be consumer control, transparency, and accountability."

In addition, I took on the subject of hackers, saying "Hackers and criminals might seek to falsify power usage, pass on their charges to a neighbor, install a virus and take down the entire system, disconnect someone else from the grid, and plan burglaries with an unprecedented degree of accuracy."

I also delved into the subject of data and system protection:

3. How is your data protected? Utilities should be mandated by law, with strong penalties, to protect information against anyone who would seek to monitor/steal/manipulate it. The challenge here then is how to best protect the 1. Security of the Database and 2. Security of the Data in Transit (which could be trickier as it is wireless).

4. What happens if your data is breached: Consumers should be notified immediately in the event that personal information has been obtained by a party without the requisite consent.

With that backdrop, let me get to the article in the North Count Times entitled "Experts Hack New Power Meters".

Eric Wolff writes:

Utilities say they have been hardening the smart meters since they began development, but security consultants say they are worried: If criminals cracked the system, they could remotely install a virus that could shut down power for millions of customers. The new smart meters will have a host of capabilities: They will credit homeowners who produce their own electricity via solar cells or wind mills, be able to wirelessly communicate data to the utility and let utilities turn off the power remotely, among other functions that could be added."Were it telemetry only, then the only compromise is privacy," said Mike Davis, senior security consultant for the security service IOActive. "When you add remote disconnect, then you increase the attractiveness of the meter as a target."

Davis and his team hacked into smart meters last spring as part of a proof-of-concept they showed off at a Las Vegas security conference last summer. They reverse engineered meters they bought on eBay and found in trash bins near installation sites. Then they installed a computer virus that would replicate itself across the wireless network and block the utility from each meter as it went.

...

The demonstration may have also driven the federal government to create standards for smart meters in the previously unregulated smart meter arena. The National Institute of Standards and Technology, a branch of the Department of Commerce, released a draft of standards in September...

The encryption would apply primarily to over-the-air communications from the devices. In theory, a criminal could sit in a car up to a mile away from a site and attempt to hack the WiFi signal of the devices. Baker said that would be pretty hard. "It's called security in depth," Baker said. "The old technology is there's one key that could open every door in the neighborhood. In the systems employed today, you need a different key for every room in your house." Alternatively, a hacker could just try to wire directly into a meter.

...

Davis said he is pleased that there is third-party testing, but he is still worried about creating a monoculture of devices. Because all the smart meters installed by SDG&E and Edison will be made by the same company and use the same software, they're only as strong or as weak as any one unit. "If the attacker finds the vulnerability in one, the entire network is vulnerable," he said. "That's a catastrophic failure."

Click here to read the article in its entirety.

Elias Quinn, from the Center for Environmental and Energy Security (CEES), at the University of Colorado Law School, and author of "Privacy and the New Energy Infrastructure" sums up the important to ensure proper safeguards are put into place before, not after, the system becomes more ubiquitous:

"Here—as with all attempts at anticipating problems—the solution must involve, first and foremost, drawing attention to the potential privacy problem posed by the massive deployment of smart metering technologies and the collection of detailed information about the electricity consumption habits of millions of individuals.

From there, efforts to devise potential solutions must progress in parallel paths, the first in search of a regulatory fix, the second a technological one. The first protects against the systematic misuse of collected information by utilities, despite new pressures on their profitability, by ensuring the databases are used only for their principle purposes: informing efficient electricity generation, distribution, and management. Such regulatory fixes are not difficult.

In the final analysis, the privacy problem posed by smart metering is only a difficult one if the data gets unleashed before consequences are fully considered, or ignored once unfortunate consequences are realized. But to ignore the potential for privacy invasion embodied by the collection of this information is an invitation to tragedy."

I'll be back with more on this issue as it comes, particularly when I know when the CPUC hearings are to take place, and what is said at them.