The Register, an IT-industry publication in the UK, has an article about a new kind of security problem currently under active development. Motivated in part by a drive for grreater efficientcy, and more recently by the prospect of receiving economic stimulus finds from the US government, several electric utility companies are working on the development and deployment of so-called “smart” electric meters:
The new generation of meters will enable what utility companies call smart grids. They turn the power grid into a real-time computerized network, which has the ability to make automated decisions in real time based on data collected from millions of sensors. That would eliminate the need for meter readers to visit each customer to know how much electricity has been consumed, for instance.
Using the “smart grid” technology would facilitate the use of demand-based variable pricing; for example, rates might be lower at night, when demand is lower. The utilities also envisage the capability to selectively limit or shut down parts of the grid, to prevent cascading failures.
Unfortunately, but unsurprisingly, there does not seem to have been much attention paid to security issues in the design of these devices:
There’s just one problem: The newfangled meters needed to make the smart grid work are built on buggy software that’s easily hacked, said Mike Davis, a senior security consultant for IOActive. The vast majority of them use no encryption and ask for no authentication before carrying out sensitive functions such as running software updates and severing customers from the power grid.
Mr. Davis is promising to demonstrate a computer worm that attacks a particular type of smart meter at the Black Hat Security Conference next month.
What is particularly depressing about some of the problems that Davis and his colleagues have found is that the vulnerabilities result from the use of certain software facilities and techniques that have been known to be problematic at least since the days of the first Internet worm in 1988.
It seems like just another example of what has always been the curse of IT: There’s never time to do it right, but there’s always time to do it over.