Recently, a expert called the current state of smart grid initiatives and security policies in the US a “circus”. About that same time it was revealed that the FBI had warned utilities of smart meter hacks back in 2010. Below is an excerpt from my book, When Gadgets Betray Us (Basic Books 2011), describing other problems we’ve seen with the current smart grid.
Smart meters, unlike desktop systems, embed software programming within a chip; in other words, the software code doesn’t sit in volatile random-access memory but on a nonvolatile read-only memory (ROM) chip. This “tamperproof technology” is used for smart cards, such as those used for boarding a bus or train, and for medical gadgets, such as personal insulin pumps. Embedded systems are efficient because a coded chip requires less maintenance for something “out in the field” than a full-blown operating system. But “nonvolatile” doesn’t mean “invincible”: The ROM can still be “flashed”—that is, its code can be rewritten remotely. And this, researchers have found, is true with most smart meters on the market today.
With smart meters, attacks such as unauthorized software updates can affect millions of users at once. Instead of attacking the larger, older SCADA networks, an attacker might only focus on the newer smart meters hastily installed within the home. [Tony Flick of FYRM Associates] points out that Austin Electricity in Texas began installing smart meters in 2002, and another project at Salt River, Arizona, was installed in 2006—both well before the initial studies by NERC and the National Institute of Standards and Technology.
The principal flaw, say researchers, is that the smart meter units are designed to communicate with the utilities and with each other. A computer worm in one could propagate exploitation of a flaw to millions of interconnected units. And that’s exactly what another researcher showed at Black Hat in the summer of 2009. Mike Davis of IOActive found that he could rewrite the firmware of one smart meter and propagate a worm across millions of similar units. Davis told Internet News that he could also rewrite the code for more than one smart meter. “Due to the peer-to-peer nature of the network, we could hop from one meter to the next updating the firmware,” he said, “so that essentially they could all be running a custom firmware patch that any attacker could use to insert into the network.”
“We can switch off hundreds of thousands of homes potentially at the same time,” Davis told The Register. “That starts providing problems that the power company may not be able to gracefully deal with.”
Fortunately, [the researchers] have all shared their information with the smart meter vendors, some of which are making changes to their security designs. Others insist it is up to the utilities to configure security on their own.
This is neither the first nor the last time that gadgets designed for our convenience have been hastily implemented in the field without enough security. In this case, the costs of security mistakes will be huge. A critical feature of the AMR is the ability for a utility to shut off a delinquent account holder. At present, a utility worker must visit the residence or business; in the future, with smart meters, this will be done remotely. Now, imagine what might happen if Davis’s worm triggered the off switch on millions of smart meters.