As a way of improving the efficiency of electric power distribution, many utilities are looking at the deployment of so-called “smart meters” that, in addition to their basic function of measuring the amount of electricity consumed, are also networked computers. The technology certainly has its appealing features. For example, it could remove the necessity of meter readers visiting customer premises, and would facilitate the introduction of demand-based pricing, under which power would be more expensive at times of high demand, and cheaper during “off hours”. But there have also been some security concerns about the deployment of this “smart grid” technology; I’ve written about them before
The PhysOrg Web site has an article about some new security research that has been done by the security firm InGuardians for three unnamed US utility companies. As in previous examinations, the testers found significant security vulnerabilities in the meters.
At the very least, the vulnerabilities open the door for attackers to jack up strangers’ power bills. These flaws also could get hackers a key step closer to exploiting one of the most dangerous capabilities of the new technology, which is the ability to remotely turn someone else’s power on and off.
Some of the flaws found could be exploited via physical access to the meter (many of which are mounted outside). Some systems use network connection devices, called access points (analogous to routers), that contain cryptographic keys and other sensitive information. And some use wireless data communications in a not-very-secure way.
Many of these problems are reminiscent of the kinds of security problems that plagued early computer networks. It is somewhat disheartening that, in each new extension of technology, some of the same lessons seemingly must be learned anew. Nonetheless, the good news is that the utility companies are doing this testing before plunging into a large-scale deployment. I hope they pay attention to the results.