The job of messing with utility information systems may not be so hard if utilities deploy "smart" meters as is now the rage, without adequate security.
One of the risks of rushing to install "smart" meters is that these are basically computers with communications capability - in some ways analogous to the familiar computers we work with at our homes and offices.
Are the new "smart" meters as vulnerable to mischief as our home and office computers? Can miscreants "hack" into the devices to change or destroy the billing and usage data, trigger remote power shutoffs, or introduce malicious viruses and software "worms" to damage or redirect the functions of the meters?
According to a recent article, a cyber security expert has demonstrated that the "smart" meters might be vulnerable to such "hacking":
At the Black Hat security conference, Mike Davis, a senior security consultant for IOActive, demonstrated how his security team simulated the hacking of 16,000 out of 22,000 smart meters over a 24-hour period. They used a worm, a software patch, that gave IOActive the control to turn power on and off at one-second intervals at 16,000 homes.Mike Breslin, Nitty Gritty of Cyber Security - The Offense: Smart Meter + Slot Machine Security, Intelligent Utility, November/December 2009.
"We could have put anything in that worm we wanted as a payload," said Davis. "We did not have enough room in the smart meter to fit our code so we had to dump some functionality out for our worm to work. The functionality we dumped was the ability to wirelessly update the devices. That would have locked out the utility from wirelessly updating the devices."* * * * One feature in many devices is a remote disconnect that allows the utility to wirelessly disconnect an individual meter from the grid. "The nature of the worm we demonstrated is the danger that we were able to propagate it without the need for the utility. If we propagated it to hundreds of thousands of meters, we would have the ability to disconnect those," Davis said.
**** Because meters are wirelessly linked by radio frequency with a one- to two-mile range, worms or disabling viruses could hop from service area to service area on interoperable metering systems.
What are the consequences of hundreds of thousands without power? Someone would have to figure out how the meters are being exploited, create and test a corrective patch and, if firmware is compromised, individually deploy patches to every affected household.
See the Comments and Reply Comments of NASUCA to U.S. Department of Energy requests for information regarding "Smart Grid" initiatives.