Money trumps security in smart-meter rollouts, experts say

In a rush to take advantage of U.S. stimulus money, utilities are quickly deploying thousands of smart meters to homes each day--smart meters that experts say could easily be hacked.

The security weaknesses could potentially allow miscreants to snoop on customers and steal data, cut off power to buildings, and even cause widespread outages, according to a number of experts who have studied the meters and looked into smart-grid systems. A new paper out of the University of Cambridge highlights privacy concerns from smart meters, as well as security risks caused by linking home-area networks, of which smart meters are an initial piece, to utilities.

"From a hardware perspective, cell phones today are more secure than many of the smart meters in deployment," said Karsten Nohl, a security researcher based in Germany who has previously analyzed mobile phone and smart card security.

"Those meters, however, may be used as attack vectors into the spheres of power distribution and generation, as well as into customer databases at the utilities," Nohl said. "They deserve nothing less than the best hardware protection available."

Sources for this story would not name which smart meters they found problems in or which utilities are deploying them. In general, the meter projects tend to have similar issues because of how quickly they are being deployed, they suggested.

There are about 250 active smart-metering projects worldwide, with about 49 million meters already installed and 800 million planned for installation, according to the Meterpedia.com blog. Projects in the U.S. are being accelerated because of the $3.4 billion in stimulus funds set aside for smart-grid technologies. About 60 million smart meters will be deployed in the U.S. this year, covering about half of households, according to figures from The Edison Foundation's Institute for Electric Efficiency (PDF).

Security appears to be a casualty of this haste, experts say.

"Right now a lot of utilities are in a mad grab for money because of the stimulus package. Billions [of dollars] are on the table, so they are moving forward with metering projects and they're spending money as fast as they can," said Jonathan Pollet, founder of Red Tiger Security which tests security features in SCADA systems. "The security isn't where it should be, but the vendors aren't going to turn down orders."

Utilities are focused on their core business and they are relying on vendors to provide security in the meters, sources said. But vendors have a disincentive to provide strong security features because that tends to increase the cost to develop and manufacture, making the meters more expensive and less competitive in the market, Pollet said.

"Since there is no federal mandate as to how much security to have in the meters, there aren't the right motivation factors for security to be a major factor," Pollet said. "It's an afterthought."

Nohl has carefully inspected one of the smart meters that has been deployed and was disappointed with what he saw. "We didn't find any of the security measures you would expect in an embedded device with critical-infrastructure relevance," he said. "Prominently missing are signed and encrypted firmware, secure (smart card) chips for key storage, unique cryptographic keys, and physical tamper protection."

Smart meters are being rolled out in a way that provides direct communication channels between each meter and other meters, as well as with customer resource management databases at the utility and even distribution networks, according to Nohl. "If software bugs exist in any of these components--which seems likely for their proprietary nature--a hacker can switch off the power for others, steal private customer data, or cause wide-scale outages by damaging the distribution systems; and all that from the (house) basement."

To mitigate these threats, vendors need to use strong authentication in secure chips, and utilities need to do more testing of the systems, he said.

Already there are devices available in some countries that allow people to change meters so they register less power consumption than was actually used. This offers people a way to get more power than they are paying for, and you don't need physical access to the device to do this, sources said.

"We found in certain cases you can actually replace data on the fly, so if the meter says 25 kilowatts was used you can move it to 2.5 kilowatts," said Pollet. "It's possible to sniff and read the data (remotely), replace the data with erroneous data, and we've been able to cause the meters themselves to fail by sending it different types of traffic that cause it to reboot or crash."

Some utilities are creating Web interfaces to the smart-meter system that could allow someone to change billing or take control of a meter over the Internet and then interfere with the grid, said Stuart McClure, general manager of McAfee's risk and compliance unit and head of the McAfee 911 division that is doing research on embedded systems like smart meters. "The bad guys will figure out a way to leverage this."

Fred Cohen, chief executive of Fred Cohen & Associates consultancy, painted a scary scenario where people could exploit security holes in smart meters to not only find out when a consumer is away from home to rob the house, but eventually also to shut off power to elevators and air conditioning units, disrupt city lights, and interfere with other critical systems when they are ultimately connected as part of home area networks that link all systems in a building.

"We're throwing out millions of these systems and deploying them in a broad scale knowing that these problems exist," Cohen said.

There need to be standards in place to ensure that the meters are built and designed with security in mind and that the utilities are deploying them wisely, the experts all said.

In California, a state moving aggressively into smart-meter deployments, the California Public Utility Commission (PUC) has issued a proposed decision that includes requirements for smart-grid plans that does not adequately address the question of security controls for design, testing and deployment, said Aaron Burstein, a lawyer and fellow at the School of Information at University of California at Berkeley. Independent experts need to be hired to take a look at the meters and deployments and "cast a critical eye over the basically self-regulating work that's been done so far," he added.

"Unless there is some incentive in it to be a regulatory requirement or something else, and in favor of security, generally security is an afterthought," Burstein said. "Meters are going out every day and yet we don't even have a final cybersecurity standard or set of requirements from NIST (National Institute of Standards and Technology) or from the state of California. Defining standards after something is built and deployed is a little backwards."

Some of these concerns were echoed in a paper (click for PDF) presented last Tuesday at the Ninth Workshop on the Economics of Information Security at Harvard University. The paper, written by researchers at the University of Cambridge Computer Laboratory, argued that data and security risks are not being sufficiently addressed, while the energy-saving benefits to consumers from smart meters are still not proven.

"If the smart grid and meter project goes the way it is going, it will (introduce) a complex social and technical system and it will involve non-trivial technical and economic problems," Shailendra Fuloria said in his talk on the paper, which was co-authored by Ross Anderson.

Regular data feeds from meters will give utilities a better idea of changes in demand during the course of a day, allowing them to better manage power generation. A smart meter also allows a utility to send messages to a customer. In demand-response programs, a customer can get a discount to have networked appliances, such as clothes dryer, go into energy-saving mode to reduce peak-time energy based on a utility signal.

But Fuloria warned that smart-meter data could be analyzed and used in a way that a consumer may not want. To address any potential privacy lapses, the paper recommends that data generated by smart meters belong to the actual consumer and that, by default, all transfers should be restricted to billing and essential technical information. All information sharing should be done with consumers' consent, the paper recommended.

A related recommendation is that an independent regulatory authority be formed to represent the interests of the consumer.

The paper argues that there are conflicts of interest between different parties involved in energy. Energy companies are mostly interested in moving peak-time energy use to different times of the day, whereas government policies seek to lower overall demand. Consumers, meanwhile, want reliable electricity and to find ways to lower bills.

In the U.S., NIST is tasked with developing interoperability standards for the smart grid, including security and in-home networking. In their paper, Anderson and Fuloria said that the link between a home network and utility needs more attention.

"Of more importance [than in-home networking standards] are standards to minimize the information passing from the home area network to the utility in order not just to protect customer privacy but also to prevent malware on home equipment being used to attack the utility; this is beginning to receive attention from NIST," they wrote.

Although home networks could potentially be hacked if connected to smart meters, in many cases in the U.S utilities have not yet turned on wireless-networking features.

Several smart-meter manufacturers either did not return e-mails seeking comment for this story, or the public relations representative could not get comment from executives. A representative from California PUC also was not able to respond with comment.

Paul Moreno, a spokesman for Pacific Gas & Electric, had this to say when asked about the security experts' concerns: "We have done extensive testing and preparation to ensure we protect the SmartMeter network. PG&E takes extensive measures to ensure the integrity of our control systems and to secure and protect customers and customer data."

Chris Baker, chief information officer at San Diego Gas & Electric, said his utility's smart meters have unique cryptographic keys, physical tamper protection, and built-in safeguards to ensure the security of the firmware, and that it does extensive software testing. In response to other concerns, he said such theoretical risks depend on factors including the nature of the weakness and specifics of the network configuration.

"There is always a potential risk, especially with new technology, that any system could be compromised, but we believe we are taking prudent actions to minimize this risk for our customers and our company, with due consideration for known and continually evolving threats."

(CNET's Martin LaMonica contributed to this report.)