New tool spots hacking vulnerabilities in smart meters
- By William Jackson
- Jul 26, 2012
LAS VEGAS — Researchers probing the security of smart-grid technology presented their results at the Black Hat Briefings, and released a tool to help spot vulnerabilities in new smart meters.
“People are going to be messing with the meters,” said Don C. Weber, senior security analyst at InGuardians. The software tool, called OptiGuard, can help equipment vendors and utilities spot the weaknesses before the bad guys do.
Advanced Metering Infrastructure — or smart meters — are being installed in millions of homes and businesses as part of a national program to develop a smart electric grid. The Energy Department has distributed millions of dollars in grants for the development and implementation of smart-grid technology.
Smart-grid tech outpacing security, in 'delicate dance with risk'
Smart-grid security delayed by questions of government regulation
Because the grid is critical to national security, DOE and the National Institute of Standards and Technology are identifying and developing standards for security and interoperability.
InGuardians has been working with utilities and equipment vendors since 2008 to assess security and identify weaknesses in the technology — sometimes without complete cooperation. An equipment vendor blocked Weber's presentation at an earlier security conference this year.
“Every technology has some vulnerabilities associated with it,” Weber said. “We're doing our best to identify these things up front.”
Smart meters have an optical port that is a back-up for analyzing and configuring the meters. Weber developed a tool that can use the port to probe the meter, identifying data components that can be read or reconfigured. Such attacks could allow someone to change the way they operate.
Utilities are more concerned with the impact of vulnerabilities on the grid than with individual meters, Weber said. “Right now this is a single attack,” he said. “I can use it on a single meter.”
But the work can help fix problems before they can be used to attack the grid on a larger scale. OptiGuard will be available to utilities, equipment vendors and to security researchers.
Weber said the government's effort to develop security standards for the grid with industry is going well. “The standards are moving forward as fast as they can,” he added. But standards-making is a complex and time-consuming process.
William Jackson is freelance writer and the author of the CyberEye blog.