Secure smart-grid meters sooner, not later, security expert says
A key component in the Energy Department’s plan for building a smart electrical grid
is an advanced metering infrastructure (AMI), a two-way system of meters that would allow providers to monitor electrical use, balance supply with demand and even give customers more control over how they use electricity.
However, the potential problem with two-way communication is that it works both ways, and AMI technology appears to have a lot of holes. Mike Davis, a senior security consultant at IOActive, and Joshua Pennell, the company’s president, wrote on the EnergyPulse.net site that an IOActive team identified multiple programming errors on smart-meter platforms, “ranging from the inappropriate use of banned functions to protocol implementation issues. The research team was able to ‘weaponize’ these attack vectors and create an in-flash rootkit, which allowed them to assume full system control of all exposed smart-meter capabilities….” The team was also able to deploy a worm.
Davis plans to demonstrate the attacks at next month’s Black Hat conference in Las Vegas. He’s not advocating hacks of the grid, of course. He’s just making the point – too often discovered after the fact – that DOE and its partners should build security into the system before it goes into service. It would seem the smart thing to do.
Kevin McCaney is the executive editor of GCN. Follow him on Twitter: @KevinMcCaney.