Back in June, and again in September, I wrote about the idea of upgrading the US electric power infrastructure with “smart meters”. Unlike traditional meters that just record a running total of electric power used, these meters have some computing capacity and can be networked, paving the way for better real-time information about power usage, as well as for more rational pricing schemes, like time-of-day pricing. (Electricity would generally cost les at night, when the demand is lower.)
I also talked about one of the risks of this change, that the new meters and network infrastructure would prove an attractive target for hacking attacks. Some proof-of-concept attacks have already been demonstrated.
This evening, on a segment of the program 60 Minutes, CBS News reported that there have already been attempts to attack the US power distribution network. Potentially this might involve not only smart meters, which are not yet that common, but also the SCADA systems (Supervisory Control and Data Acquisition) that are used to manage parts of the power grid. These systems, which originally were typically closed, with little to no external connectivity, have in recent years begun to employ more open standards and protocols, and to have more connections to the outside world, even to the Internet. The motivation for this is clear: using open systems, and piggy-backing on Internet connectivity are much less expensive than dedicated systems. Unfortunately, except for “security by obscurity” (which we know does not work), not much attention has been paid to security in the design of these systems and networks.
According to the program’s interview with Admiral Mike McConnell, former Director of National Intelligence, there is evidence that probing attacks have already happened in the US, and more serious attacks elsewhere:
Several prominent intelligence sources confirmed that there were a series of cyber attacks in Brazil: one north of Rio de Janeiro in January 2005 that affected three cities and tens of thousands of people, and another, much larger event beginning on Sept. 26, 2007.
That one in the state of Espirito Santo affected more than three million people in dozens of cities over a two-day period, causing major disruptions. In Vitoria, the world’s largest iron ore producer had seven plants knocked offline, costing the company $7 million. It is not clear who did it or what the motive was.
Although President Obama, earlier this year, made the improvement of cyber-security a priority in national defense policy, the US is still not in good shape to defend itself:
Asked if the U.S. is prepared for such an attack, McConnell told Kroft, “No. The United States is not prepared for such an attack.”
The program goes on to talk about attacks on other types of infrastructure systems, such as the networks that tie together the world’s banks, and make financial transactions possible. (Here I am not talking about exotic products, just things like electronic payments)
One point the program does make, which I have mentioned before, is that the character of these attacks has changed. They are no longer mainly carried out by socially- and hygienically-challenged adolescents living in basements somewhere. They are being carried out by organized crime operations and the intelligence agencies of national governments (including the US government). It’s difficult to get a really good feel for how big the problem is, because the victims of these attacks often don’t want people to know about them; but they are serious, and they’re getting worse.