Experts say smart meters are vulnerable to hacking

to a vast network.

There are few public studies on the meters’ resistance to attack, in part because the technology is new. Last summer, Mike Davis, a researcher from Seattle, Washington-based IOActive Inc., showed how a computer worm could hop between meters in a power grid with smart meters, giving criminals control over those meters.

Alan Paller, director of research for the Bethesda, Maryland-based SANS Institute, a security research and training organization that was not involved in Wright’s work with InGuardians, said it proved that hacking smart meters is a serious concern. “We weren’t sure it was possible,” Paller said. “He actually verified it’s possible. … If the Department of Energy is going to make sure the meters are safe, then Josh’s work is really important.”

Industry representatives say utilities are doing rigorous security testing that will make new power grids more secure than the U.S. current patchwork system — a system which is already under hacking attacks from adversaries believed to be working overseas. “We know that automation will bring new vulnerabilities, and our task — which we tackle on a daily basis — is making sure the system is secure,” said Ed Legge, spokesman for Edison Electric Institute, a trade organization for shareholder-owned electric companies.

Many security researchers say the technology is being deployed without enough security probing. Wright said his firm found “egregious” errors, such as flaws in the meters and the technologies that utilities use to manage data from meters. “Even though these protocols were designed recently, they exhibit security failures we’ve known about for the past 10 years,” Wright said.

He said InGuardians found vulnerabilities in products from all five of the meter makers the firm studied. He would not disclose those manufacturers.

One of the most alarming findings involved a weakness in a communications standard used by the new meters to talk to utilities’ computers (see “NIST Request for Input on Smart Grid Interface,” 25 February 2010 HSNW). Wright found that hackers could exploit the weakness to break into meters remotely, which would be a key step for shutting down someone’s power. Someone could also impersonate meters to the power company, to inflate victims’ bills or lower his own. A criminal could even sneak into the utilities’ computer networks to steal data or stage bigger attacks on the grid.

Wright said similar vulnerabilities used to be common in wireless Internet networking equipment, but have vanished with an emphasis on better security. For instance, the meters encrypt their data — scrambling the information to hide it from outsiders. The digital “keys” needed to unlock the encryption, however, were stored on data-routing equipment known as access points that many meters relay data to. Stealing the keys lets an attacker eavesdrop on all communication between meters and that access point, so the keys instead should be kept on computers deep inside the utilities’ networks, where they would be safer. “That lesson seems to be lost on these meter vendors,” Wright told AP. That speaks to the “relative immaturity” of the meter technology, he added.