Posted by Bob on 1/2/2015 to "Smart" Meters
Utilities and the smart grid industry tout only the hypothetical benefits of smart meters, never seriously discussing the tremendous risks and costs to our society. On the subject of cyber security, they hardly discuss it at all. For example, the industry group, so-called “Smart Grid Consumer Collaborative,” addresses the cyber security issue with basic uninformative “happy talk” as follows:
“The performance of security measures are tested and reviewed regularly to guard against unauthorized access to systems. Moreover, utility companies are working with federal agencies, such as the Department of Homeland Security, the Department of Energy, and the National Institute of Standards and Technology (NIST), to strengthen privacy and security standards to provide even more safeguards for consumer protection.” 
The above language says nothing of the catastrophic risks involved with the deployment of smart meters and smart grid systems. Although you won’t receive meaningful cyber threat risk-related information from the smart grid industry, it is not hard to find elsewhere. Just from one reference book  written by two cyber security specialists, you discover the following information which primarily addresses the “remote disconnect” feature of electric utility smart meters:
From a Chapter on “Smart Metering: The First Security Challenge”“What if [smart] meters are told to disconnect by a worm or virus? Among all the services AMI [Advanced Metering Infrastructure] offers, the disconnect function is the most controversial in information security circles as it is the only one that directly controls the flow of power to the home or business. While DR [Demand Response] and ALC [Automatic Load Control] involve sending a signal to a meter that could result in switching off an appliance, the consumer is usually able to easily override such action. However, absent some rewiring, there is no equivalent override for the disconnect switch. In fact, one of the purposes of the disconnect switch is to ensure that customers who do not pay their bills are denied electricity until they do so.”“The greatest concern is that a successful attack could allow someone to gain control of customers all at once. In addition to causing widespread blackouts, repeatedly switching the power off and on could create frequency imbalances and surges in the grid that could damage loads and destabilize the entire grid, potentially causing damage to generators, transformers, and other equipment in the path [including the smart meters themselves and equipment and appliances in the buildings]. Such a consequence would be much more severe than a simple power outage, resulting in damage to expensive equipment with replacement times of more than a year in some cases. Effectively taking temporary control of a meter network could lead to widespread power outages lasting weeks or perhaps longer.”“When the Internet started, there really were no viruses. They were being written and they were infecting machines, but there was no real impact. It was not until people realized that their identities were being stolen, as a result of these viruses, that anti-virus became a must. … Once worms started taking down e-mail servers and business services, patches became extremely important and now businesses are more vigilant than ever in this regard. … Today we are still fighting that battle, and at the same time a new battlefield is emerging.”“Cyber security as related to the utility field is currently a place where ‘information can now be used to control physics,’ as Joe Weiss of Applied Control Solutions puts it. The manipulation of data can be used to turn off electricity or to steal energy. There will be multiple impacts that can be realized as a result of cyber security risks and smart metering. But the paradigm change is that the hackers can actually harm human life.”
The reference to a “paradigm change” above simply means that the effects of a cyber attack are no longer limited to information technology assets which may include customer retail account or bank record systems. Cyber hackers can now attack “smart” Industrial Control Systems (ICSs) of our critical infrastructure, which includes smart meters for those who have them.
When our critical infrastructure is literally “taken out” for days, weeks, or even months, bad things are going to happen, thus the reference to “harm human life.” Initially, and for short widespread outages, the vulnerable members of our population would be most affected who need life-sustaining medical equipment. Also, what if a power blackout is caused during a period of extreme cold or hot weather when people’s heating or cooling systems would not operate? As the duration of a power blackout is extended, depending on the amount of damage caused during the cyber attack, societal breakdown will eventually occur with associated looting, havoc, and disorder typical of when people believe (rightly or wrongly) that their very survival is at stake.
It is also important to be aware of the warnings and recommendations from the U.S. Government Accountability Office in its report entitled, “Electricity Grid Modernization.” 
“Utilities are focusing on regulatory compliance instead of comprehensive security. … Consequently, without a comprehensive approach to security, utilities leave themselves open to unnecessary risk. … There is a lack of security features being built into smart grid systems. … For example, our experts told us that certain currently available smart meters have not been designed with a strong security architecture and lack important security features, including event logging and forensics capabilities which are needed to detect and analyze attacks.”“Without securely designed smart grid systems, utilities will be at risk of not having the capacity to detect and analyze attacks, which increases the risk that attacks will succeed and utilities will be unable to prevent them from recurring.”“Until consumers are more informed about the benefits, costs, and risks of smart grid systems, utilities may not invest in, or get approval for, comprehensive security for smart grid systems, which may increase the risk of attacks succeeding.”
Hopefully it is clear from this article that our society is being placed at great risk by the smart grid industry in deploying unsafe and insecure systems and not properly informing consumers about the associated risks, in conflict with the GAO report recommendations. Without greater public awareness, the necessary consumer and political pressures may never force the utilities to “do the right thing” in time to protect us all from disaster.
As stated by an expert respondent highlighted in a recent Pew Research Center report :
“The ‘smart grid’ is the most substantial danger. Cyber attacks that target a ‘smart grid’ will result in loss of power to large numbers of places simultaneously, causing infrastructure damages. … No single instance will be ‘widespread harm,’ but all of these together will add up to that in only a short period of time. Unless there is some unforeseen major new technological development …, the only way to prevent this will be to refrain from adopting ‘smart grid’ technologies.”
To gain an even better appreciation of the cyber threats posed by smart meters and the smart grid, SkyVision Solutions has prepared a special video which is just over five minutes in duration.
 Smart Grid Consumer Collaborative (SGCC) “Data Privacy and Smart Meters,” page 2.
 Smart Grid Security: An End-to-End View of Security in the New Electrical Grid, by Gilbert N. Sorebo (Author), Michael C. Echols (Author), Michael Assante (Foreword); Publisher: CRC Press; 1 edition (December 5, 2011). Book available from amazon.com at http://www.amazon.com/dp/1439855870/ref=wl_it_dp_o_pC_S_ttl?_encoding=UTF8&colid=JQVO0DK288NY&coliid=I3HT55J613FATM.
 U.S. Government Accountability Office, GAO Report #GAO-11-117, “Electricity Grid Modernization.”
 Pew Research Center, October 2014, “Cyber Attacks Likely to Increase”; Expert Opinion of Andrew Chen, Associate Professor Computer Science at Minnesota State University-Moorhead; report available at: http://www.pewInternet.org/2014/10/29/cyber-attacks-likely-to-increase/.
In this report, “widespread harm” was defined as “significant loss of life or property losses/damage/theft at the levels of tens of billions of dollars.”
comments powered by Disqus