Original Source


As explained in an October 1st article at DarkReading.com, European researchers will reveal later this month major security weaknesses in smart meters that could allow an attacker to order a power blackout.  A widely deployed smart meter device can be programmed to cause a power blackout or commit power usage fraud.

Researchers Javier Vazquez Vidal and Alberto Garcia Illera will reveal this month at Black Hat Europe in Amsterdam how they reverse engineered smart meters and found blatant security weaknesses that allowed them to commandeer the devices to shut down power or perform electricity usage fraud over the power line communications network.  The researchers aren’t disclosing the specific smart meter manufacturer at this time — they haven’t yet disclosed anything to the vendor in question, either.  They have hinted heavily that it’s a brand installed broadly in Spain.

“The device is not properly secured,” Vazquez Vidal says. “Once you’ve got the [encryption] keys and know the hardware, you can have full control of the network in a really big area… to turn off and on the lights remotely, and you could know power consumption in a house [to determine] if someone is in the house” at that time.

The really bad news is that there’s nothing smart meter customers can do to defend against an attack. Vazquez Vidal says that, “Since we do not own the meters that we have at home … we cannot do anything about it .… Besides, it could be considered [by the power company] as manipulation” of the devices.

Apart from the potential to cause a large-scale blackout, the researchers also reveal that weaknesses in the smart meter device provide fraudulent customers the capability to use as much power as they want and ‘spoof’ their neighbor’s smart meter identifier code making it appear that the neighbor had used that electricity.

For those who read the articles at this website, the above revelations are just confirmation of what we already know.  In June we highlighted an article by Nick Hunn entitled, “When Smart Meters Get Hacked” (June 8, 2014).   We quoted Hunn as follows:

“There‘s a lot of talk about grid security and data privacy in the energy industry, but very little about the consequences of what happens if smart meters go wrong.  By going wrong, I don‘t just mean people attempting to hack their meters to reduce their bills.  That will probably happen.  I‘m more interested in the nightmare scenario when several million electricity meters suddenly disconnect.

All they need to do is to insert a few lines of code into the firmware for a smart meter which will disconnect the meter at some specific time in the future.  For best effect, they’d set that to be during a peak time, …  The code needs to disconnect the power at that point and also disable the remote connection back to the utility, so that they can’t communicate with the meter to try and restart it.   A competent programmer should be able to write that in about ten minutes.   As the same code goes into all millions of meters from each supplier, millions would turn off together.”

In June we also quoted a paper by Ross Anderson & Shailendra Fukoria of Cambridge University, entitled “Who Controls the Off Switch”:

“From the viewpoint of a cyber attacker – whether a hostile government agency, a terrorist organisation or even a militant environmental group – the ideal attack on a target country is to interrupt its citizens’ electricity supply. … Until now, the only plausible ways to do that involved attacks on critical generation, transmission and distribution assets, which are increasingly well defended.   Smart meters change the game.”

“Electricity and gas supplies might be disrupted on a massive scale by failures of smart meters, whether as a result of cyberattack or simply from software errors.  The introduction of hundreds of millions of these meters in North America and Europe over the next ten years, each containing a remotely commanded off switch, remote software upgrade and complex functionality, creates a shocking vulnerability.  An attacker who takes over the control facility or who takes over the meters directly could create widespread blackouts; a software bug could do the same.”

Lack of forethought and misguided objectives in deploying smart meters could very well result in a nightmare scenario in the not too distant future.  There may still be time to turn back and avoid catastrophic outcomes, but the government, utilities, and the smart grid industry do not yet appear willing to protect us or themselves against catastrophic events.

We urge everyone to take action to contact your local legislators and do whatever else you can to help stop the irrational deployment of smart meters into a system designed to fail.

----------------------

Update on October 7, 2014

Mike Davis, a top security researcher with cybersecurity consulting firm IOActive, identified similar threats in U.S. smart meter devices five years ago.  “It was strange.  Pretty much none of the utilities deploying smart meters at the time were considering the [smart] meters themselves as part of their threat problem,” Davis said.

Disclosure of his findings was a wake-up call for U.S. utilities, leading to increased government scrutiny and industry action to better secure the devices against cyberattack.

Davis said the vulnerabilities described by the Spanish research team sounded feasible given the slow response by utilities and meter makers to overhaul their meters’ security.

“The industry is starting to be much more intelligent,” Davis said. “Although for something that is attached to the side of your house, it still has a ways to go.”

—————————————

Source Material for this Article:



“When Smart Meters Get Hacked: The Nightmare Scenario,” at http://smartgridawareness.org/2014/06/09/the-smart-meter-nightmare-scenario/

“Who Controls the Off Switch,” by Ross Anderson & Shailendra Fukoria, Cambridge University, http://www.cl.cam.ac.uk/~rja14/Papers/meters-offswitch.pdf


“Popular Electricity Smart Meters in Spain Can Be Hacked, Researchers Say,” at http://www.reuters.com/article/2014/10/07/us-cybersecurity-spain-idUSKCN0HW15E20141007
comments powered by Disqus