It’s a sensitive subject, as high-profile electronic attacks on infrastructure like the Cal ISO incident have emerged concurrent with the Obama administration’s prioritization of national cybersecurity, but with a focus on the power grid in particular. In fact, Obama cited smart-grid security specifically as a reason for crowning a “cybersecurity czar.”
The new position came after a series of reports emerged, from an anonymous article in The Wall Street Journal claiming spies had infiltrated national power grids to a report published by cybersecurity firm IOActive that a hacker could boost power to millions of homes at once, causing the grid to fail.
Mike Davis, IOActive security consultant, told The Register, “We can switch off hundreds of thousands of homes potentially at the same time. That starts providing problems that the power company may not be able to gracefully deal with.”
He said the vulnerabilities arise from the “vast majority” of smart-meter systems using no encryption or authentication processes to prevent malicious infiltration.
Itron disagrees, and has hired cybersecurity firm Certicom to encrypt its smart meters, and has designed its networks so that all commands must pass through “trust centers” that are “diligently locked down with certification and authorization, in our opinion to the highest security levels available,” Rich Creegan, VP of marketing at Itron, told Greentech Media.
For intrusion response, Itron works with Industrial Defender, a cybersecurity firm specializing in industrial and utility control systems upgrading to newer technology. Creegan said the company serves as “the watchdog, minding the perimeter, so to speak, and makes sure the right people are getting into the right places.”
The concern about smart-meter security arises from its close, direct interface with households, able to turn on and off utilities, send signals to appliances to turn off during peak energy demand times, and potential abuses therein. Creegan said this “two-way command and control” necessitates “dilig[ence]” about the system’s security.
Erfan Ibrahim, power delivery technical executive for the utility group Electric Power Research Institute, offered, “It’s not true that smart meters are being put up without any meter-to-meter authentication and encryption.”
He explained that security gaps detailed by IOActive’s report arise from pilot projects, meant to find and correct problems within a system, but not ready for implementation.
“I don’t want to suggest that we’ve solved the cybersecurity problem,” he qualified, saying “elementary” hacking techniques are well in hand. But “sophisticated scenarios where the hacker really knows the system and could exploit the vulnerabilities,” pose a difficult problem.
Todd Nicholson, Industrial Defender‘s CMO, said insider threats are a primary concern for his company’s clients. He said insider threats range from a disgruntled employee seeking revenge to a college intern uploading malware that wreaks havoc within a network. But he added that “extending an IP-based network all the way down to the meter level” means both inside and outside threats an increased threat.
Ibrahim concluded a centralized architecture could be a major flaw in the smart-grid’s design, saying, “you don’t want a single point of failure.”
In an arch, the keystone placed at the top holds all the other pieces in place. If it is removed, the arch collapses. There shouldn’t be a keystone at the top of the smart grid.