From: Governing

Public utilities nationwide are installing smart meters to streamline operations and empower customers, but whether these systems are secure is still of concern.

BY: Jessica Mulholland

Smart meter use for public utilities is growing. Late last month, Georgia Power finished installing 2.4 million digital meters at homes and businesses in its territory — all but four of the state’s 159 counties; nearly one in five residents in Belmont, Mass., now have smart meters; all 280,000 PEPCO customers in the District of Columbia have them; and after more than two years, the more than 600,000 Sacramento, Calif., residents who are customers of the Sacramento Municipal Utility District (SMUD) have smart meters.

And that’s just the tip of the iceberg.  On the whole, more than 36 million smart meters have been installed in homes and businesses nationwide, according to the Edison Foundation, an organization focused on the electric industry.

For customers, digital or smart meters allow tracking of energy usage in real time.  In some cases, customers can remotely turn off high-energy appliances midday to cut costs. On the public utility side, a meter reader no longer needs to access a customer’s property to read the meter each month; energy use is securely transmitted to the utility over a wireless network, saving time and resources.

But it’s this data transmitted from meter to utility — and the security of that data — that’s raising questions. “The primary concern is really a matter of numbers,” said Bob Lockhart, an industry analyst and smart grid expert with Pike Research, a market research and consulting firm. “You’ve got lots of them, so if one goes missing out of 35 million, maybe you don’t notice that right away.”

Lillie Coney, associate director of the Electronic Privacy Information Center, a public interest research organization in Washington, D.C., echoed that sentiment. Traditionally, utility companies collect about 12 data points on energy usage per electric utility customer per year, she said — which increases to every 15 minutes or less when smart meters enter the picture. “It’s a huge jump,” she said. “And the more granular the data collection, I don’t care what it is, communicates something about a person over time. The interest in that for the consumer is how that data might be used if it’s not secured.”

When it comes to securing smart meters themselves, it’s a little tricky. Lockhart notes that they’re not very powerful devices IT-wise, but they do have a processor and a little bit of hard drive space. “I’ve never heard of an anti-virus running on a smart meter,” he said, “and it’s tough to layer cyber security software on top of the smart meter.” First, the smart meter may not be powerful enough to run security software, and the processor likely lacks the space to run such a thing. “Or it may take so long for things like encryption to run that whoever is controlling the meter may think that it has timed out because he expects things to happen in a hurry.”

So determining how to secure the devices is a challenge in itself, as is whether a utility will even notice if one has been tampered with.

Two years ago, Pike Research forecasted that investment in smart meter security will total $575 million worldwide from 2010 to 2015, representing an average of about $3.00 per meter during that period. At the time, Lockhart noted that smart meters were one of the weakest links in the smart grid security chain — something he said has ultimately improved. And the biggest improvement, he said, has been awareness. “A lot of the well-publicized attacks against smart meters early on, even though they weren’t always done in real world situations — they were done when the researchers turned off all the security features — showed that it’s theoretically possible to compromise a meter, and that really got peoples’ attention,” he said.

Although smart meter security has technically gotten better, it is still of concern. In April, for instance, the FBI warned that hacking smart meters and the fraudulent power bills that result may cost utility companies about $400 million per year. And this, said Spencer McIntyre of security consulting firm SecureState, is also of concern when it comes to smart meter security. “That is essentially the concern — people defrauding the electrical company,” said McIntyre, who is a staff consultant on the firm’s research innovation team. “There have already been reported cases of this happening in certain South American countries, and we just want to be proactive about it here in America to ensure that this doesn’t happen.”

To that end, SecureState in late July released an open source hacking tool, designed by McIntyre, that will help identify vulnerabilities within the meters. “It can allow them [utilities] to see what is possible for other people, being that the software is completely available for everyone else,” he said. “They can use it internally to essentially see what the attackers see. To be able to perform these types of assessment themselves and check to make sure that the device is acting that way that it is intended to and the way that they think it is going to.”

Looking back at SMUD, for example, spokesman Christopher Capra said the utility hasn’t had any security breaches, but also does quite a bit to prevent against hackers. “SMUD follows information security industry best practices in managing its information systems to detect and prevent hacking and cyber attacks,” he said. “SMUD’s contractor for the wireless network, Silver Spring Networks, uses security practices equivalent to those used by the Department of Defense and the online banking industry.”

Additionally, all information transmitted within the network is encrypted and authenticated — and the only information securely transmitted within the network is the energy usage data, meter Network Interface Card ID, meter events and route information, Capra said. “This information is securely transmitted four times daily in bursts that last milliseconds,” he said, adding that no data that could be used to access a customer’s identity — like a social security number or credit or debit card number — will be stored or transmitted within the system.
Beyond the concept of stealing energy is the idea that denial of service attacks or infiltration by foreign intelligence services could affect the nation’s energy grid. But for most, this isn’t a reasonable fear. “I’m more concerned about the electric company selling information about our usage to some marketer,” said security expert Bruce Schneier. “I’m more concerned about cascading access, a software glitch causing power outages; I’m more concerned about hackers using it.”

Pike Research’s Lockhart also noted the cascading access issue — there is some concern that an attacker who takes control of one meter could then take control of other meters through things like mesh networks, and then create a cascading problem. “What you get into there is the difference between what is possible from an IT perspective and a perspective of how electricity works” he said. “I’m not an electrical engineer, but when I ask people who run meters, they say, ‘No you can’t do that.’”

And as for a cascading failure by a hacker changing voltages and getting the entire energy grid to “start acting funny,” Lockhart said, “the people who’ve engineered the grid have assured me that that’s not possible; that the hardware will prevent that.”

But as Lockhart notes, we should never say never. On the whole, it is possible that a fully implemented meter could be compromised — how far a hacker can get from there depends on how well a particular utility has implemented security.

And putting something on the Internet, Schneier said, ultimately has risks — it has value and it has risks. “What I want is for the companies and the government to take the risks seriously and design a good system,” he said. “It won’t be a perfect system; it’ll still have vulnerabilities, because they all do, but they’ll be vulnerabilities we can fix. Right now, every month, your OS gets several security updates; if it’s an embedded thermostat, a lot of them can’t be updated, so then what happens? In the rush to do it, we do it wrong.”