Security Firm Finds Smart Meter Problems

APRIL 2, 2010

Last week, The Associated Press reported on another incident of a security company finding flaws in the anti-hacking capabilities of smart-grid technology—in this case, smart meters.

Washington, D.C.-based security firm InGuardians was recently hired by three unnamed electric utilities to study their smart meters’ resistance to attack. The utilities have already done small deployments of smart meters and plan to roll out the technology to hundreds of thousands of power customers, said Joshua Wright, a senior security analyst with InGuardians. Wright said his firm found “egregious” errors, including flaws in the meters and the technologies that utilities use to manage data from the meters. “Even though these protocols were designed recently, they exhibit security failures we’ve known about for the past 10 years,” Wright said.

One of the key findings involved a weakness in a communications standard used by the meters to pass information to the utilities’ computers. Wright found hackers could exploit this weakness to break into meters remotely—which could enable a hacker to shut off someone’s power, send false information to the power company or access the utilities’ computer networks to steal data or stage larger attacks on the grid.

Similar vulnerabilities used to be common in wireless Internet networking equipment, but have mostly vanished with an emphasis on better security, Wright said. That speaks to the “relative immaturity” of smart meter technology.

Last April, Solutions News Bulletin reported that IOActive, a Seattle-based security assessment firm, said a year-long independent test of smart-grid technology and infrastructure plans found the systems to be vulnerable to the same types of hacker attacks as most computer systems. These vulnerabilities could “expose utility companies to possible fraud, extortion attempts, lawsuits or widespread system interruption,” the company said.