By now you should have your PG&E SmartMeter installed, or no later than the end of September. Several people have asked me how secure are these SmartMeters when connected to PG&E’s smart-grid? Right now the SmartMeters are quite secure, as they are not connected to any network. The PG&E mesh network will not be installed locally for another six to eight months, according to the Tech that installed our SmartMeter.
The answer to the security question depends on whom you ask. Silver Spring, the contractor installing the mesh network, has a white paper that discusses the network security. This paper declares the network is secure.
From the start, Silver Spring recognized that the smart grid might be the target of malicious activity, and understood the vulnerabilities presented by interconnecting devices. Consequently, the company has taken an architectural approach to security and embedded it throughout the hardware devices, the software operations, and the network-level transactions running across the smart grid infrastructure.
Yet, they understand that the system is not as secure as it might be and improvements will be required in the future.
And because both functional demands on the grid and the threat landscape around it evolve over time, Silver Spring designed secure upgradeability into the system. As a result, utility customers can increase smart grid functionality as well as security through over-the-air updates to Smart Energy Platform hardware and software.
What might create a need for future updates or security upgrades?
Consider this announcement from the Information Trust Institute at the University of Illinois. Homeland Security has awarded 18.8 million dollars in grants to four academic institutions funding a five-year research project to seek methods for securing the smart-grid. The project is to make certain that the smart meters and other devices implemented by power companies can resist hackers and other attackers.I find it troubling that strong security was not built into the system from it’s inception, rather than an add on, just like PC security was an add on and we know how that worked out.
Nevada County will have PG&E’s smart grid up and running in six to eight months, but this research project to insure the smart-grid is secure from hackers is still five years away. This is not comforting news. According to an AP story this last March: Electricity 'smart' meters were found vulnerable to hackers.Computer-security researchers say new "smart" meters that are designed to help deliver electricity more efficiently also have flaws that could let hackers tamper with the power grid in previously impossible ways. These attacks can be initiated when a hacker steals a meter and reprograms it to become a rogue node on the smart-grid network. Once the hacker intercepts the access node security key, they can sit near a home or business and wirelessly hack a targeted SmartMeter using a laptop, according to Joshua Wright, a senior security analyst with InGuardians Inc.
Crooks with network access could turn off the power before they break in a house, disabling the alarm. Teen hackers could play tricks on their friends by turning off the power to a friend’s house, or a rival’s house. Or, someone could impersonate meters to the power company, to inflate victims' bills or perhaps lower their own. Silver Spring assures us that their network data is encrypted, scrambling the information coming from your meter to hide it from outsiders. But, the digital "keys" needed to unlock the encryption are stored on data-routing equipment known as access points used to relay meter data to central servers. Stealing these keys lets an attacker eavesdrop on all communication between meters and the access point, according to network security experts.
An open source tool set is being developed by Joshua Wright called the KillerBee, a collection of Linux programs that are intended for testing security. But, it is an open source tool set, available to everyone, including hackers, who might have other goals in mind. KillerBee includes applications for sniffing out any ZigBee devices in the surrounding area and recording data streams going over the wireless network. Your SmartMeter has one of those Zigbee chip sets.
KillerBee can replay those recorded data streams at a later date to replicate functions like turning on and off devices. KillerBee also includes a program for cracking the encryption key stored in ZigBee chip sets in your appliances.
Since many ZigBee devices have no display or keypad, the code required for encryption is frequently stored in factory-set Flash memory. Where keys are exchanged over the air, they are often exchanged in unencrypted form and can easily by recorded using the KillerBee tool set. Analysis of these recordings can be done later to uncover the encryption code, and to reveal a lot of information about activities on the network, including what appliances are on in a target home.Last year, security firm IOActive found flaws in a smart-meter device that allowed its researchers to insert code into one device and have it spread to others--essentially, injecting a computer worm into a local power network.
As more home appliances are added to the network the more vulnerable your home becomes to a hacker intent on mischief making. A trickster could turn off your big screen TV during the key play in an important sports event, or when the detective reveals who committed the murder in the library. Or worse yet, turn off the house power while a family is on vacation, returning home to find rotting food in the freezer.
New technologies are new opportunities and new challenges for homeowners. The SmartMeters are designed to assist PG&E manage the load on their distribution grids by controlling your appliances. A side benefit is that homeowners can monitor their power consumption daily. These tools are not flawless and appear to have some security vulnerabilities.Most homeowners will never have to deal with these security issues, but they should be aware that they exist, and remain vigilant for strangers in the neighborhood with a laptop in a parked car. Or, their teen age computer genius at the keyboard in his/her room. Anyone with the right tools and intent may be able to access the PG&E smart-grid. Remain vigilant!
Russ Steele is a freelance writer who blogs at NC Media Watch where he expands on issues presented here.